Hello,

I know I can't make virtual https servers with pound. But as a second best 
option, I'm thinking about using the same server name and ssl certificates 
on multiple server and use the path in the URL to reverse proxy between 
them. So I would do something like this:

in both apache httpd.conf:

ServerName=intranet.myserver.com

Create an single set ssl key and us the same one on both server and on pound

one of the servers would then answer to requests for

https://intranet.myserver.com/gallery/

and the other one to

https://intranet.myserver.com/mail/

Is that something that could work?

I'm brand new to pound, is there a place where I could find the most common 
configurations as example? I've been googling a lot but beside the mailing 
list archive there really isn't much out there.

Thanks for your help!

-WildCoder

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Gerard,

pound will *only* talk http to the backend servers, I believe.  The only 
  place you would need your cert is on pound.  It would be straight, 
unencrypted http to the backends.  You could certainly do what you want 
to do regarding sending requests on a certain path to one server or the 
other, though.

Ed

Gerard Petard wrote:
> Hello,
> 
> I know I can't make virtual https servers with pound. But as a second 
> best option, I'm thinking about using the same server name and ssl 
> certificates on multiple server and use the path in the URL to reverse 
> proxy between them. So I would do something like this:
> 
> in both apache httpd.conf:
> 
> ServerName=intranet.myserver.com
> 
> Create an single set ssl key and us the same one on both server and on 
> pound
> 
> one of the servers would then answer to requests for
> 
> https://intranet.myserver.com/gallery/
> 
> and the other one to
> 
> https://intranet.myserver.com/mail/
> 
> Is that something that could work?
> 
> I'm brand new to pound, is there a place where I could find the most 
> common configurations as example? I've been googling a lot but beside 
> the mailing list archive there really isn't much out there.
> 
> Thanks for your help!
> 
> -WildCoder
> 
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee® 
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> 
> 

Ed,

>pound will *only* talk http to the backend servers, I believe.

Oh! Really? I guess I'll have to uncomment the Listen to port 80 line in my 
httpd.conf
Right now my servers only talk https. Hopefully that'll be all I have to do 
there.

>The only  place you would need your cert is on pound.  It would be 
>straight, unencrypted http to the backends.  You could certainly do what 
>you want to do regarding sending requests on a certain path to one server 
>or the other, though.

Trying to come up with the correct config. How does this look:

ListenHTTPS *,443 /etc/pound/server.pem
ExtendedHTTP 1
WEBDAV 1
LogLevel 3
UrlGroup ".*/bugzilla/.*"
  BackEnd 10.0.0.10,443,1
EndGroup

UrlGroup ".*/mail/.*"
  BackEnd 10.0.0.20,443,1
EndGroup

UrlGroup ".*"
EndGroup

if I use port 443 is it going to talk https to the backend? or I should put 
80 there and configure my server to also accept http connection on that 
port?
my bugzilla server also use webdav so I can transfert files and access them 
from anywhere.
Thanks for your help.

-WildCoder

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

> Ed,
>
>>pound will *only* talk http to the backend servers, I believe.
>
> Oh! Really? I guess I'll have to uncomment the Listen to port 80 line in
> my
> httpd.conf
> Right now my servers only talk https. Hopefully that'll be all I have to
> do
> there.
>
>>The only  place you would need your cert is on pound.  It would be
>>straight, unencrypted http to the backends.  You could certainly do what
>>you want to do regarding sending requests on a certain path to one server
>>or the other, though.
>
> Trying to come up with the correct config. How does this look:
>
> ListenHTTPS *,443 /etc/pound/server.pem
> ExtendedHTTP 1
> WEBDAV 1
> LogLevel 3
> UrlGroup ".*/bugzilla/.*"

This should do it:
UrlGroup "/bugzilla/.*"

>   BackEnd 10.0.0.10,443,1

Believe it or not, Pound only speaks http to the backend, no SSL/TLS. So
you really want this here:
BackEnd 10.0.0.10,80,1

> EndGroup
>
> UrlGroup ".*/mail/.*"
>   BackEnd 10.0.0.20,443,1
> EndGroup
>
> UrlGroup ".*"
> EndGroup
>
> if I use port 443 is it going to talk https to the backend? or I should
> put
> 80 there and configure my server to also accept http connection on that
> port?

Exactly, let your server accept on port 80. On a switched private network
this is really no problem. If you really NEED to speak https to the
backends, you may use something like stunnel between.

Simon

> my bugzilla server also use webdav so I can transfert files and access
> them
> from anywhere.
> Thanks for your help.
>
> -WildCoder
>
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
http://www.apsis.ch/pound/pound_list/archive/2005/2005-12/1135106554000/1135273076000
>

Simon,

OK based on what I gathered so far here's my new configuration file:

ListenHTTPS *,443 /etc/pound/server.pem
ExtendedHTTP 1
WEBDAV 1
LogLevel 3
UrlGroup "/bugzilla/.*"
BackEnd 10.0.0.10,80,1
EndGroup

UrlGroup "/mail/.*"
BackEnd 10.0.0.20,80,1
EndGroup

UrlGroup ".*"
EndGroup

Now I've got these 2 server listening on https. I can uncomment the Listen 
80 line in httpd.conf but I can't do that because they're accessible from 
the outside. I'd like restrict apache to listen on http ONLY from my local 
network, in fact if I could instruct it to only listen to http from my other 
pound server that'd be just about perfect. I know this isn't the best place 
for that but you guys must be apache expert as well.

in my /etc/apache2/vhosts.d/00_default_vhost.conf
in the section <Directory "/var/www/localhost/htdocs">
I could change the line
Allow from all
to
Allow from 10.0.0.5
Deny from all
which would only allow http connection from Pound's local ip
That's not going to affect my https connection, right? They're handled in 
another file
I'll keep on googling a bit more but so far that's what I found.

Thanks for your help.

-WildCoder

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Gerard,

Do this with your switch and firewall, not with apache.  Your life will 
be simpler and it is more likely that the restriction will survive 
software upgrades and other noise in your life.

Gerard Petard wrote:

>
> ... I'd like restrict apache to listen on http ONLY from my local 
> network, in fact if I could instruct it to only listen to http from my 
> other pound server that'd be just about perfect. I know this isn't the 
> best place for that but you guys must be apache expert as well.



-- 
Ted Dunning
Chief Scientist
Veoh Networks

Assuming you are on apache2 a line like 

Listen 192.168.0.123:80 

In ports.conf (or other conf file if you prefer)

Would restrict apache to listening to port 80 on the local network
interface. To restrict it to a single machine you need to look to
network configuration, if it's a linux box play with /etc/hosts.allow
and /etc/hosts.deny any of those options will survive upgrades without
problem. By all means use the switch and firewall if the first is
managed and the second exists...
Jeff

-----Original Message-----
From: Ted Dunning [mailto:tdunning(at)veoh.com] 
Sent: 27 December 2005 23:49
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Pounds with multiple https servers


Gerard,

Do this with your switch and firewall, not with apache.  Your life will 
be simpler and it is more likely that the restriction will survive 
software upgrades and other noise in your life.

Gerard Petard wrote:

>
> ... I'd like restrict apache to listen on http ONLY from my local 
> network, in fact if I could instruct it to only listen to http from my

> other pound server that'd be just about perfect. I know this isn't the

> best place for that but you guys must be apache expert as well.



-- 

Ted Dunning
Chief Scientist
Veoh Networks



-- 

To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2005/2005-12/1135106554000/
1135727323000