Hey,
I only have 443 open for that traffic, so yes. I've only opened 80 for
one instance of Pound, 443 for the other instance of Pound, and a high
10000+ port for SSHd... That's it.
BTW, I host regular and SSL sites through Pound, hence the two
instances... the SSL Pound instance recieves on 443 transmits internally
to backends on port 80 , responds to Pound internally on 80, and
translated back to 443... all the time keeping track of 20min. sessions
for a load balanced WebSphere App.
From my point of view, super tight.... Pound runs in a root jail, and
doesn't write to the drive, and SSHd is as secure as you can get. I
tunnel all other needs through SSH.
I did have stability problems with Pound, in a previous configuration,
and set it to start on boot, and scripted the machine to restart at
2am. It's been working as an appliance-like box for about 4 months now,
without me accessing it at all. The stability problem went away with a
current version of Pound, but I felt no need to change it back. A clean
slate every morning works well for me.
I don't know the current pricing on a Cisco box that does what Pound
does for me, but a Load Director appliance was $10K+ back during my
decision process, vs. a $400 commodity RedHat Linux AS2.1 box (plus
labor) was/is a bargain.
Good Luck,
-Jon
Kenneth Kangethe wrote:
[...][...]
>>>
>>>Thanks Jonathan for your speedy response. I was able to view the
>>>Verisign cert. and get pound working. Now i am facing another
>>>interesting problem.
>>>
>>>During testing, I had connected my computer and the reverse proxy
on
>>>to a hub and on the back-end there was a firewall after which, the
>>>internal network and my web server were located. Everything worked
>>>well and I was able to viewl the website from my computer via the
>>>reverse proxy.
>>>
>>>The problem appears when I insert a firewall between the reverse
proxy
>>>and my computer. I can't seem to get to my site. ( I have tried
>>>setting my firewall to permit all traffic but still... nothing) Is
>>>there some routing Issues that I need to tackle? what type of
routes
>>>am I to put on the reverse proxy so as to permit anyone with any ip
>>>address to view my site?
>>>
>>>your assistance is greatly appreciated.
>>>
>>>- Ken
>>>
>>>--------------------------------------------------------------------
>>>
>>>
>>>
>>>>From: Jonathan Cyr <cyrj(at)cyr.info> >Reply-To:
cyrj(at)cyr.info >To:
>>>>
>>>>
>>>Kenneth Kangethe <ngethek(at)netscape.net> >CC:
pound(at)apsis.ch >Subject:
>>>Re: Verisign Certificates and Pound >Date: Mon, 07 Jun 2004
14:52:40
>>>-0400 >MIME-Version: 1.0 >Received: from smtp.changeip.com
>>>([63.210.174.75]) by mc11-f39.hotmail.com with Microsoft
>>>SMTPSVC(5.0.2195.6824); Mon, 7 Jun 2004 11:53:14 -0700
>Received: from
>>>cyr.info ([166.157.222.29]) by smtp.changeip.com (whitelabel
>>>7.1.6) with ASMTP id EYA74436; Mon, 07 Jun 2004 11:52:49
-0700
>>>
>>>
>>>>X-Message-Info: JGTYoYF78jFxG/En32FJkFi0efJSYRk2
>Message-ID:
>>>>
>>>>
>>><40C4B978.2050408(at)cyr.info> >Organization: Cyr
Information Systems
>>>
>>>
>>>>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.6)
>>>>
>>>>
>>>Gecko/20040113 >X-Accept-Language: en-us, en >References:
>>><2F59EDE2.1A99325B.00205EF6(at)netscape.net> >In-Reply-To:
>>><2F59EDE2.1A99325B.00205EF6(at)netscape.net> >Return-Path:
cyrj(at)cyr.info
>>>
>>>
>>>>X-OriginalArrivalTime: 07 Jun 2004 18:53:14.0514 (UTC)
>>>>
>>>>
>>>FILETIME=[B019F720:01C44CC0] > >Hi There, > >I had a
real problem with
>>>Verisign, and never got it fully working, >Mozilla wouldn't take
it
>>>but IE would. > >I thrashed with it for months, so maybe I
screwed up
>>>Versign's web >system with the multiple CSRs that I submitted,
who
>>>knows. > >Anyway, Pound supports Intermediate Certificates
and full
>>>chains... >here's my suggestions. > >1) Get Pound working
correctly
>>>with a Self-Signed Certificate first, >ensure Pound loads, runs,
and
>>>resolves certificates. There's a >single OpenSSL command in
the
>>>Pound man pages that will create the >.pem combo file (decoded
>>>key/cert). Make Pound work with that, and >Pound is no longer
the
>>>problem. Unfortunately when Pound chokes on >an incorrectly
formated
>>>certificate combo file, it doesn't give much >feedback. Set
your
>>>settings for the rev-proxy with this self-signed >setup. >
>2) My
>>>final config that worked with IE (not Mozilla) was... > - My
>>>Decoded Private Key > - Verisign's Certificate that they
sent me
>>>after my CSR >submission > - The generic Intermediate
Certificate
>>>that you can download >from Versign's help website. Any SSL
setup
>>>would use the same >intermediate certificate > - Finally
a
>>>Certificate Authority .pem file included with >OpenSSL, I think
its
>>>called vsign3.pem, may be slightly different >but definately 3
for a
>>>Class 3 certificate > >I had them in the preceding order, all
four in
>>>sequence in one .pem >file, when they're in the right order,
Pound
>>>will start and run... >otherwise it will exit in the logs (fgrep
pound
>>>/var/log/messages) > >I alternated between this and removing
the
>>>vsign3.pem from the combo >file .pem and pointing to it
separately in
>>>the Pound config file, >the calist directive, I think. >
>3) My final
>>>piece of advice... stay away from Verisign if you can... >I've
dealt
>>>with them and the Network Solutions from a Technical as >well as
>>>Administrative perspective for 5-7 years. Every time, I've
>needed
>>>them, they've let me down, in a big way, in front of my
>>>
>>>
>>>>customers. I've learned my lesson. Verisign is obviously the
>>>>premiere vendor, but their horrible. Use any other one, maybe
>>>>Thawte, their very big.... > >I moved to a "no-name"
provider called
>>>>
>>>>
>>>FreeSSL.com, their >certificates have been included with all
of the
>>>browsers for 5 or >so years, for seamless usage. I believe back
to
>>>IE3. Old or >strange browsers will just prompt for acceptance.
> >The
>>>Mozilla problem stumped the leaders of the OpenSSL mailing list,
>the
>>>guy I contacted was an author, Dr. Henson, he couldn't explain
>the
>>>problem and frankly wasn't familiar with Pound and its
>implementation
>>>of the OpenSSL Dev Toolkit. > >At that point I discarded
Verisign...
>>>My setup was working in one >hour, $40.00 and a automated CSR
>>>submission process. I have big >customers who can't tell the
>>>difference, 128bit encryption is 128bit >encryption, and any
third
>>>party SSL will do. > >Good Luck, > >-Jon > >
>Kenneth Kangethe wrote:
>>>
>>>
>>>>>Hi Jonathan Cyr, >> >>I have just read the
experiences that you went
>>>>>
>>>>>
>>>through with Pound >>and verisign Certificates (attached
below). I am
>>>sort of having the >>same problem. I am interested in how you
>>>installed the intermediate >>certificate, certificate chain
and the
>>>steps that you took inorder >>to get pound to work for IE.
Please
>>>forward the above info to >>ngethe(at)hotmail.com. Thanks.
>> >>My
>>>regards, >> >>Kenneth Wainaina
>>-------------------- >>Attachment:-
>>>
>>>
>>>>>>>Re: Certificate Purchase and Pound Jonathan Cyr
>>>>>>>
>>>>>>>
>>><cyrj(at)cyr.info> >>Hello, >> >>I just
went round and round with
>>>Verisign for about 5 months and >>never got it working....
>> >>Here's
>>>the story. >> >>I had a Verisign 128bit certificate
working with Pound
>>>problem-free >>for 7-8 months... then Verisign introduced an
>>>intermediate >>certificate to the process... in other
words... they
>>>moved their >>certificate serving mechanism and required all
of their
>>>users to >>"patch" their SSL with an intermediate
>>>certificate. Verisign had >>no idea what Pound is, and on
their
>>>telephone support, they will >>try to treat you like an
Apache user,
>>>since OpenSSL means Apache in >>their telephone support
>>>handbook. Anyway, After 5 months of asking >>questions,
trying new
>>>things, bugging folks here and on the OpenSSL >>mailing list,
I did
>>>finally install their intermediate certificate >>and
certificate
>>>chain, it worked with IE, not with Mozilla... >>puzzling me,
and my
>>>generous benefactors on the OpenSSL list. I >>concluded
Verisign was
>>>at fault, (after 5 mos), and got a new SSL >>provider.
>> >>Solution:
>>>
>>>
>>>>>>>I got a new SSL 128bit certificate with a direct
chain, no
>>>>>>>
>>>>>>>
>>>>>intermediate certs. We are no longer Versign customers...
I should
>>>>>have known better, Verisign cant seem to get any aspect of
their
>>>>>business working correctly... try changing company name on
a
>>>>>Verisign registered domain after a merger... but I digress.
>> >>We
>>>>>
>>>>>
>>>run a Red Hat AS 2.1 Server on a commodity box, and Load
>>Balance/Rev
>>>Proxy a rather large WebSphere 5.1 based Web App on >>ports
80 & 443.
>>>
>>>
>>>>>>>My new certificate is from FreeSSL.com, it was a
~$40 128bit
>>>>>>>
>>>>>>>
>>>>>certificate, automated CSR process... and works better than
the
>>>>>Verisign $800/yr variety... none of my customers are the
wiser...
>>>>>128bit is 128bit, the only difference was 3rd party
verification
>>>>>with Dun&Brad, a pain anyways. >> >>On
Linux, I highly recommend the
>>>>>
>>>>>
>>>OpenSSL chapter of O'Reilly's >>Linux Security Cookbook, on
>>>http://safari.oreilly.com./ It has all
>>of >>the commands needed to
>>>carry out your plan. >> >>If you decide to go forward,
write me, I'll
>>>help you... I'd like to >>pay-it-forward for the folks who
helped me
>>>through. >> >>Pound is well worth the effort... the
proprietary
>>>alternatives are >>costly and inflexible. >>
>>Good Luck, >> >>-Jon
>>>
>>>
>>>>>cyrj(at)cyr.info >> >>Ron Turner wrote:
>>[...] >> >>
>>>>>__________________________________________________________________
>>>>>Introducing the New Netscape Internet Service. Only $9.95 a
month
>>>>>-- Sign up today at http://isp.netscape.com/register
>> >>Netscape.
>>>>>
>>>>>
>>>Just the Net You Need. >> >>New! Netscape Toolbar for
Internet
>>>Explorer >>Search from anywhere on the Web and block those
annoying
>>>pop-ups. >>Download now at
>>>http://channels.netscape.com/ns/search/install.jsp
>>
>>>
>>>------------------------------------------------------------------------
>>>Overwhelmed by debt? Find out how to 'Dig Yourself Out of Debt'
from
>>>MSN Money. <http://g.msn.com/8HMBENUS/2743??PS=47575>
>>>
>>>[...][...]
|
