/ Zope / Apsis / Pound Mailing List / Archive / 2005 / 2005-12 / Pounds with multiple https servers

[ << ] [ >> ]

[ Openssl problem when install pound / "Rong, ... ] [ Cookie session tracking in 2.0b4 / Ryan Nielsen ... ]

Pounds with multiple https servers
"Gerard Petard" <wildcoder(at)hotmail.com>		 2005-12-20 20:22:34 [ FULL ] 
Hello,

I know I can't make virtual https servers with pound. But as a second best 
option, I'm thinking about using the same server name and ssl certificates 
on multiple server and use the path in the URL to reverse proxy between 
them. So I would do something like this:

in both apache httpd.conf:

ServerName=intranet.myserver.com

Create an single set ssl key and us the same one on both server and on pound

one of the servers would then answer to requests for

https://intranet.myserver.com/gallery/

and the other one to

https://intranet.myserver.com/mail/

Is that something that could work?

I'm brand new to pound, is there a place where I could find the most common 
configurations as example? I've been googling a lot but beside the mailing 
list archive there really isn't much out there.

Thanks for your help!

-WildCoder
[...]
Re: [Pound Mailing List] Pounds with multiple https servers
Ed R Zahurak <ezahurak(at)atlanticbb.net>		 2005-12-21 00:23:56 [ FULL ] 
Gerard,

pound will *only* talk http to the backend servers, I believe.  The only 
  place you would need your cert is on pound.  It would be straight, 
unencrypted http to the backends.  You could certainly do what you want 
to do regarding sending requests on a certain path to one server or the 
other, though.

Ed

Gerard Petard wrote:[...]
Re: [Pound Mailing List] Pounds with multiple https servers
"Gerard Petard" <wildcoder(at)hotmail.com>		 2005-12-22 18:37:56 [ FULL ] 
Ed,
[...]

Oh! Really? I guess I'll have to uncomment the Listen to port 80 line in my 
httpd.conf
Right now my servers only talk https. Hopefully that'll be all I have to do 
there.
[...]

Trying to come up with the correct config. How does this look:

ListenHTTPS *,443 /etc/pound/server.pem
ExtendedHTTP 1
WEBDAV 1
LogLevel 3
UrlGroup ".*/bugzilla/.*"
  BackEnd 10.0.0.10,443,1
EndGroup

UrlGroup ".*/mail/.*"
  BackEnd 10.0.0.20,443,1
EndGroup

UrlGroup ".*"
EndGroup

if I use port 443 is it going to talk https to the backend? or I should put 
80 there and configure my server to also accept http connection on that 
port?
my bugzilla server also use webdav so I can transfert files and access them 
from anywhere.
Thanks for your help.

-WildCoder
[...]
Re: [Pound Mailing List] Pounds with multiple https servers
"Simon Matter" <simon.matter(at)ch.sauter-bc.com>		 2005-12-22 20:12:42 [ FULL ] 
> Ed,[...][...][...]

This should do it:
UrlGroup "/bugzilla/.*"
[...]

Believe it or not, Pound only speaks http to the backend, no SSL/TLS. So
you really want this here:
BackEnd 10.0.0.10,80,1
[...]

Exactly, let your server accept on port 80. On a switched private network
this is really no problem. If you really NEED to speak https to the
backends, you may use something like stunnel between.

Simon
[...]
Re: [Pound Mailing List] Pounds with multiple https servers
"Gerard Petard" <wildcoder(at)hotmail.com>		 2005-12-28 00:30:31 [ FULL ] 
Simon,

OK based on what I gathered so far here's my new configuration file:

ListenHTTPS *,443 /etc/pound/server.pem
ExtendedHTTP 1
WEBDAV 1
LogLevel 3
UrlGroup "/bugzilla/.*"
BackEnd 10.0.0.10,80,1
EndGroup

UrlGroup "/mail/.*"
BackEnd 10.0.0.20,80,1
EndGroup

UrlGroup ".*"
EndGroup

Now I've got these 2 server listening on https. I can uncomment the Listen 
80 line in httpd.conf but I can't do that because they're accessible from 
the outside. I'd like restrict apache to listen on http ONLY from my local 
network, in fact if I could instruct it to only listen to http from my other 
pound server that'd be just about perfect. I know this isn't the best place 
for that but you guys must be apache expert as well.

in my /etc/apache2/vhosts.d/00_default_vhost.conf
in the section <Directory "/var/www/localhost/htdocs">
I could change the line
Allow from all
to
Allow from 10.0.0.5
Deny from all
which would only allow http connection from Pound's local ip
That's not going to affect my https connection, right? They're handled in 
another file
I'll keep on googling a bit more but so far that's what I found.

Thanks for your help.

-WildCoder
[...]
Re: [Pound Mailing List] Pounds with multiple https servers
Ted Dunning <tdunning(at)veoh.com>		 2005-12-28 00:48:43 [ FULL ] 
Gerard,

Do this with your switch and firewall, not with apache.  Your life will 
be simpler and it is more likely that the restriction will survive 
software upgrades and other noise in your life.

Gerard Petard wrote:
[...]


[...]
RE: [Pound Mailing List] Pounds with multiple https servers
"Jeff Green" <Jeffg(at)jobsgopublic.com>		 2005-12-28 12:21:04 [ FULL ] 
Assuming you are on apache2 a line like 

Listen 192.168.0.123:80 

In ports.conf (or other conf file if you prefer)

Would restrict apache to listening to port 80 on the local network
interface. To restrict it to a single machine you need to look to
network configuration, if it's a linux box play with /etc/hosts.allow
and /etc/hosts.deny any of those options will survive upgrades without
problem. By all means use the switch and firewall if the first is
managed and the second exists...
Jeff

-----Original Message-----
From: Ted Dunning [mailto:tdunning(at)veoh.com] 
Sent: 27 December 2005 23:49
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Pounds with multiple https servers


Gerard,

Do this with your switch and firewall, not with apache.  Your life will 
be simpler and it is more likely that the restriction will survive 
software upgrades and other noise in your life.

Gerard Petard wrote:
[...]
[...]
[...]


[...]
MailBoxer