I'm currently running pound as the reverse-proxy front to our web
servers (non-encrypted). This is working splendidly. Thanks to all
involved for a great package.
My next task is to setup an HTTPS/SSL connection in pound. I've read
the man-page (several times) and search the list archives but I'm still
left with a few questions.
Here they are:
1) What kind of certificate do I buy?
I don't want to go the self-signed route so I'll buy a certificate (from
Thawte or Verisign, presumably).
If pound wasn't part of the equation I'd just buy the certificate
appropriate to my server (Tomcat 5 in this case). But with pound, what
kind of certificate do I buy?
2) Do I use an encrypted connection between pound and tomcat?
When I setup pound to forward encrypted requests, should I forward those
requests to the web-server as HTTPS requests? Or let pound convert the
original HTTPS request to a "normal" http request.
I've read in several places that getting pound to do the HTTPS->HTTP
translation can be fraught with sever-specific and application-specific
issues. I'd like to avoid those problems so if simply retaining an
HTTPS connection to the back-end server is the way to go, I'd like to do
that. Presumably, though, that means having the certificate used both
by pound and Tomcat. Is that right?
3) What is the "IE Bug" with regard to HTTPS?
I saw mention on the list that there's an IE bug with regard to HTTPS.
Can somebody point me to a link that explains more? And can somebody
clarify the workaround pound implements and whether this is still
necessary (perhaps the bug is an old issue?)