Hello, We're hosting a bunch of both SSL and non-SSL enabled sites and we're using pound for SSL-termination.
The issue appears when someone visits a non-SSL enabled site by prepending https:// to the address. I'm expecting a connection reset or similar because this site doesn't have SSL to begin with. But instead of that I get "This is an untrusted connection" in the browser and I see that pound serves up the first certificate it specified in the configuration. I tried adding HeadRequire in the Service section of the HTTPS section with all the SSL-enabled sites only, but it didn't work as expected. If I understand it correctly those headers are sent encrypted, so they're only sent after the encrypted connection has been fully established, and then it's too late. I suppose this could only be done during the SNI negotiation phase when the server name is sent by the browser. Then I'd guess pound would check if the sent server name has a certificate. If it doesn't then a connection reset or similar should happen. How would I achieve this? Or am I missing something? Thanks Freja Borginger IT
