You are correct that HeadRequire will not work for you, because DNS -> IP -> SSL all happens before HTTP.
Your best bet is to have two IP addresses - one that has a HTTPS listener, and one that doesn't, and deal with it in DNS. While SNI influences certificate selection, it does not have any control over the TCP connection itself - nor have I ever seen this type of feature in commercial load balancers - since SNI is an extension, returning the default certificate when SNI doesn't find a more specific one or the browser doesn't support it is the safest option, and only backward compatible option. Joe Confidentiality Notice: This e-mail transmission may contain confidential and legally privileged information that is intended only for the individual named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail message is strictly prohibited. If you have received this e-mail transmission in error, please reply to the sender, so that proper delivery can be arranged, and please delete the message from your mail box. ------ [http://www.sapphirek12.org/SapphireEmailLogo.jpg] Joseph Gooch www.sapphirek12.org<http://www.sapphirek12.org/> | office: (866) 366-9540 CONFIDENTIALITY STATEMENT The documents and communication included in this email transmission may contain confidential information. All information is intended only for the use of the above named recipient(s). If you are not the named recipient, you are NOT authorized to read, disclose, copy, distribute, or take any action on the information and any action other than immediate delivery to the named recipient is strictly prohibited. If you have received this email in error, do NOT read the information and please immediately notify sender by telephone and email and immediately delete this email. If you are the named recipient, you are NOT authorized to reveal any of this information to any unauthorized person and are hereby instructed to delete this email when no longer needed. From: Freja Borginger <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Friday, October 23, 2015 at 10:35 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: [Pound Mailing List] Connection reset on non-SSL sites instead of presenting first SSL mentioned in configuration User "www-data" Group "www-data" LogLevel 1 Alive 30 ListenHTTPS Address 0.0.0.0 Port 443 HeadRemove "X-Forwarded-Proto" AddHeader "X-Forwarded-Proto: https" Disable SSLv3 Disable SSLv2 Cert "/etc/pound/www.1.se.pem" Cert "/etc/pound/www.2.se.pem" Cert "/etc/pound/www.3.se.pem" VerifyList "/etc/pound/ssl.pem" Ciphers "AES+kEDH:AESGCM+kEDH:ECDHE-RSA:ECDHE-ECDSA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" SSLHonorCipherOrder 1 Service HeadRequire “Host:.*(www.1.se|www.2.se|www.3.se).*” BackEnd Address 127.0.0.1 Port 80 End End End From: Scott McKeown [mailto:[email protected]] Sent: den 23 oktober 2015 16:16 To: Pound Mailing List <[email protected]<mailto:[email protected]>> Subject: Re: [Pound Mailing List] Connection reset on non-SSL sites instead of presenting first SSL mentioned in configuration Hello Freja, The HeadRequire should be what you require for this but can you send us over a quick example it maybe just your make up of the required match value. On 23 October 2015 at 14:37, Freja Borginger <[email protected]<mailto:[email protected]>> wrote: Hello, We’re hosting a bunch of both SSL and non-SSL enabled sites and we’re using pound for SSL-termination. The issue appears when someone visits a non-SSL enabled site by prepending https:// to the address. I’m expecting a connection reset or similar because this site doesn’t have SSL to begin with. But instead of that I get “This is an untrusted connection” in the browser and I see that pound serves up the first certificate it specified in the configuration. I tried adding HeadRequire in the Service section of the HTTPS section with all the SSL-enabled sites only, but it didn’t work as expected. If I understand it correctly those headers are sent encrypted, so they’re only sent after the encrypted connection has been fully established, and then it’s too late. I suppose this could only be done during the SNI negotiation phase when the server name is sent by the browser. Then I’d guess pound would check if the sent server name has a certificate. If it doesn’t then a connection reset or similar should happen. How would I achieve this? Or am I missing something? Thanks Freja Borginger IT -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
