RE: [Pound Mailing List] Connection reset on non-SSL sites instead of presenting first SSL mentioned in configuration

[Freja Borginger]

User            "www-data"
Group           "www-data"
LogLevel        1
Alive           30

ListenHTTPS
  Address 0.0.0.0
  Port  443

  HeadRemove "X-Forwarded-Proto"
  AddHeader "X-Forwarded-Proto: https"

  Disable SSLv3
  Disable SSLv2

  Cert "/etc/pound/www.1.se.pem"
  Cert "/etc/pound/www.2.se.pem"
  Cert "/etc/pound/www.3.se.pem"

  VerifyList "/etc/pound/ssl.pem"

    Ciphers 
"AES+kEDH:AESGCM+kEDH:ECDHE-RSA:ECDHE-ECDSA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  SSLHonorCipherOrder 1

  Service
    HeadRequire “Host:.*(www.1.se|www.2.se|www.3.se).*”
    BackEnd
      Address   127.0.0.1
      Port      80
    End
  End
End

From: Scott McKeown [mailto:sc...@loadbalancer.org]
Sent: den 23 oktober 2015 16:16
To: Pound Mailing List <pound@apsis.ch>
Subject: Re: [Pound Mailing List] Connection reset on non-SSL sites instead of 
presenting first SSL mentioned in configuration

Hello Freja,

The HeadRequire should be what you require for this but can you send us over a 
quick example it maybe just your make up of the required match value.



On 23 October 2015 at 14:37, Freja Borginger 
<freja.borgin...@portsit.se<mailto:freja.borgin...@portsit.se>> wrote:
Hello,

We’re hosting a bunch of both SSL and non-SSL enabled sites and we’re using 
pound for SSL-termination.

The issue appears when someone visits a non-SSL enabled site by prepending 
https:// to the address.
I’m expecting a connection reset or similar because this site doesn’t have SSL 
to begin with.
But instead of that I get “This is an untrusted connection” in the browser and 
I see that pound serves up the first certificate it specified in the 
configuration.

I tried adding HeadRequire in the Service section of the HTTPS section with all 
the SSL-enabled sites only, but it didn’t work as expected.
If I understand it correctly those headers are sent encrypted, so they’re only 
sent after the encrypted connection has been fully established, and then it’s 
too late.

I suppose this could only be done during the SNI negotiation phase when the 
server name is sent by the browser. Then I’d guess pound would check if the 
sent server name has a certificate. If it doesn’t then a connection reset or 
similar should happen.

How would I achieve this? Or am I missing something?

Thanks

Freja Borginger
IT




--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Tel (UK) - +44 (0) 3303801064 (24x7)
Tel (US) - +1 888.867.9504 (Toll Free)(24x7)