|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-03
/
ssl help
[
List request / Allen Schmidt ... ]
[
Taking a backend out of service / "Daniel ... ]
ssl help
"MW Mike Weiner \(5028\)" <MWeiner(at)ag.com> |
2005-03-15 18:55:41 |
[ FULL ]
|
OK, i have pound 1.8.2 up and running, and i am trying to get it working
for SSL, i have secure sites being served up on a machine using a single
IP address, and using ports for each web (i.e. dev.site1.com runs on
port 444 and dev.site2.com runs on port 445). Now, i have pound
configured to listen to https on the local IP port 443, but i get an ssl
error when i try to connect via https:
Error establishing an encrypted connection to dev.site1.com. Error Code:
-12195.
Any ideas exactly what this means, and how to fix it?
Thanks in advance
Michael Weiner
|
|
|
Re: ssl help
Andrew Nimmo <andrew.nimmo+apsis.ch(at)email.sh> |
2005-03-15 20:25:18 |
[ FULL ]
|
having seen the error code before (from what i recall...), are you
connecting with firefox and have you setup pound to request client
certificates? it would be useful to see the relevant parts of your
pound config.
andrew
On 15 Mar 2005, at 18:55, MW Mike Weiner ((5028)) wrote:
[...]
|
|
|
RE: ssl help
"MW Mike Weiner \(5028\)" <MWeiner(at)ag.com> |
2005-03-15 21:30:35 |
[ FULL ]
|
-----Original Message-----
From: Andrew Nimmo [mailto:andrew.nimmo+apsis.ch(at)email.sh]
Sent: Tuesday, March 15, 2005 2:25 PM
To: MW Mike Weiner (5028)
Cc: pound(at)apsis.ch
Subject: Re: ssl help
having seen the error code before (from what i recall...), are you
connecting with firefox and have you setup pound to request client
certificates? it would be useful to see the relevant parts of your pound
config.
--
Yes, I am using firefox at the moment, though I need to test this in IE.
I do get the cert presented to me that I have set in the configuration
file, as follows:
ListenHTTPS 10.10.232.202,443 /usr/share/ssl/certs/bma.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
User apache
Group apache
HTTPSHeaders 1 ""
LogLevel 3
UrlGroup ".*"
HeadRequire Host ".*dev.bluemountain.com.*"
BackEnd 10.10.232.202,16443,1
EndGroup
What I was doing was running two instances of pound, 1 for secure and 1
for non-secure, the above is the snippet from the secure config, the
nonsecure looks like the following:
ListenHTTP 10.10.232.202,80
User apache
Group apache
LogLevel 3
UrlGroup ".*"
HeadRequire Host ".*dev.bluemountain.com.*"
BackEnd 10.10.232.202,16080,1
EndGroup
Am I missing something here?
Thanks for your response
Michael Weiner
|
|
|
Re: ssl help
Andrew Nimmo <andrew.nimmo+apsis.ch(at)email.sh> |
2005-03-15 21:41:37 |
[ FULL ]
|
mike
(only sending this to the pound list, cos ur email provider insists on
collecting my name+email address before i can send you email).
the config line:
HTTPSHeaders 1
tells pound to ask for a client certificate. i would guess that this
isn't what you intend, therefore the default (of not asking for a
client certificate) should be used instead. note that this refers to
client certificates and not server certificates.
regards
andrew
On 15 Mar 2005, at 21:30, MW Mike Weiner ((5028)) wrote:
[...]
|
|
|
RE: ssl help
"MW Mike Weiner \(5028\)" <MWeiner(at)ag.com> |
2005-03-15 21:45:00 |
[ FULL ]
|
-----Original Message-----
From: Andrew Nimmo [mailto:andrew.nimmo+apsis.ch(at)email.sh]
Sent: Tuesday, March 15, 2005 3:42 PM
To: <pound(at)apsis.ch> <pound(at)apsis.ch>
Subject: Re: ssl help
mike
(only sending this to the pound list, cos ur email provider insists on
collecting my name+email address before i can send you email).
the config line:
HTTPSHeaders 1
tells pound to ask for a client certificate. i would guess that this
isn't what you intend, therefore the default (of not asking for a client
certificate) should be used instead. note that this refers to client
certificates and not server certificates.
--
Thanks for the response, also reading in the archives and it seems I
must NOT be using mod_ssl on the backends, which is what I was trying to
get working :( I will try your change, as well as drop the mod_ssl from
apache, and have it simply run http, however, my question becomes, and I
am searching the archives for an answer, what would the config look like
for multiple domains using a different certificate for each?
Btw, that's most likely my email service provider (FrontBridge) sorry
about the extra pain in the arse.
Thanks again.
Michael Weiner
|
|
|
RE: ssl help
"MW Mike Weiner \(5028\)" <MWeiner(at)ag.com> |
2005-03-15 22:06:12 |
[ FULL ]
|
-----Original Message-----
From: Andrew Nimmo [mailto:andrew.nimmo+apsis.ch(at)email.sh]
Sent: Tuesday, March 15, 2005 3:42 PM
To: <pound(at)apsis.ch> <pound(at)apsis.ch>
Subject: Re: ssl help
mike
(only sending this to the pound list, cos ur email provider insists on
collecting my name+email address before i can send you email).
the config line:
HTTPSHeaders 1
tells pound to ask for a client certificate. i would guess that this
isn't what you intend, therefore the default (of not asking for a client
certificate) should be used instead. note that this refers to client
certificates and not server certificates.
--
OK, made that change, and turned off mod_ssl on the back end, and I can
hit the secure pages. Now on this website, on the nonsecure side, there
is a "sign in" button which is pathed as:
https://dev.bluemountain.com/members/signin.pd?referer=http%3A//dev.blue
mountain.com/display.pd%3Fpath%3D35641%26prodnum%3D3066919%26bfrom%3D1
And results in an error, as follows:
"Redirection limit for this URL exceeded.Unable to load the requested
page. This may be caused by cookies that are blocked."
Is there a way I can stop that behavior within pound?
Thanks for all your help.
Michael Weiner
|
|
|
Re: ssl help
Andrew Nimmo <andrew.nimmo+apsis.ch(at)email.sh> |
2005-03-15 22:10:26 |
[ FULL ]
|
hi mike,
apologies, i believe the email hassle is related to other pound list
subscribers and not you.
re: the back end servers, you're right, these should only be running
standard http, not ssl.
re: multiple domains, with an ssl cert per domain, i presume you're
already aware that each domain will require its own ip address. you can
then specify, in the config file, which certificate is associated with
each ip address:
ListenHTTPS 192.168.0.1,443 /etc/pound/secure.example1.com.pem
ListenHTTPS 192.168.0.2,443 /etc/pound/secure.example2.com.pem
ListenHTTPS 192.168.0.3,443 /etc/pound/secure.example3.com.pem
if you ARE trying to use multiple certificates with 1 ip address, you
can't. googling for info (and the pound archives and documentation)
will tell you why.
regards
andrew
On 15 Mar 2005, at 21:45, MW Mike Weiner ((5028)) wrote:
[...]
|
|
|
RE: ssl help
"MW Mike Weiner \(5028\)" <MWeiner(at)ag.com> |
2005-03-15 22:12:48 |
[ FULL ]
|
-----Original Message-----
From: Andrew Nimmo [mailto:andrew.nimmo+apsis.ch(at)email.sh]
Sent: Tuesday, March 15, 2005 4:10 PM
To: MW Mike Weiner (5028)
Cc: pound(at)apsis.ch
Subject: Re: ssl help
hi mike,
apologies, i believe the email hassle is related to other pound list
subscribers and not you.
re: the back end servers, you're right, these should only be running
standard http, not ssl.
re: multiple domains, with an ssl cert per domain, i presume you're
already aware that each domain will require its own ip address. you can
then specify, in the config file, which certificate is associated with
each ip address:
ListenHTTPS 192.168.0.1,443 /etc/pound/secure.example1.com.pem
ListenHTTPS 192.168.0.2,443 /etc/pound/secure.example2.com.pem
ListenHTTPS 192.168.0.3,443 /etc/pound/secure.example3.com.pem
if you ARE trying to use multiple certificates with 1 ip address, you
can't. googling for info (and the pound archives and documentation) will
tell you why.
---
ARGGGGGHHHHHHHH, well shoot, this wont help me much then, and I was
hoping to use this rather than our current solution of F5 Networks
BigIP. I can get apache to serve all the secure domains on a single IP
using different ports and different certificates, so I am not sure I see
why I couldn't replicate that in pound.
Thanks
Michael Weiner
|
|
|
Re: ssl help
Andrew Nimmo <andrew.nimmo+apsis.ch(at)email.sh> |
2005-03-15 22:34:10 |
[ FULL ]
|
pound will also listen on multiple ports for a single ip address, with
multiple certs, but i suspect you were hoping to use pound to pass
https requests untouched, through 1 ip address (port 443) and have the
'correct' backend respond whenever a corresponding request arrives for
a given domain. 'fraid not. are you constrained to only using 1 ip
address?
regarding the redirect error, you should be able to find similar issues
on the pound list.
regards
andrew
On 15 Mar 2005, at 22:12, MW Mike Weiner ((5028)) wrote:
[...]
|
|
|
RE: ssl help
"MW Mike Weiner \(5028\)" <MWeiner(at)ag.com> |
2005-03-15 23:47:38 |
[ FULL ]
|
-----Original Message-----
From: Andrew Nimmo [mailto:andrew.nimmo+apsis.ch(at)email.sh]
Sent: Tuesday, March 15, 2005 4:34 PM
To: MW Mike Weiner (5028)
Cc: pound(at)apsis.ch
Subject: Re: ssl help
pound will also listen on multiple ports for a single ip address, with
multiple certs, but i suspect you were hoping to use pound to pass https
requests untouched, through 1 ip address (port 443) and have the
'correct' backend respond whenever a corresponding request arrives for a
given domain. 'fraid not. are you constrained to only using 1 ip
address?
regarding the redirect error, you should be able to find similar issues
on the pound list.
--
Regarding the ips, no I am unrestricted in the dev environment, but once
I move beyond that, I am afraid I run the webs on 1 IP but diff ports to
conserve - and BigIP has no issues with this configuration (secure or
nonsecure).
Thanks for your response as always!
Michael Weiner
|
|
|
|
