|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2006
/
2006-09
/
Pound and back-end with HTTPS
[
Redirect rewrites fail / Rob Moore ... ]
[
LogLevel 2 not showing address / Blake Barnett ... ]
Pound and back-end with HTTPS
"titetluc titetluc" <titetluc(at)gmail.com> |
2006-09-08 14:29:40 |
[ FULL ]
|
Hello all,
I am the web master of a domain and I am using Pound (version 1.9) for this
domain
My network will evolve so a new "service" is required: HTTP traffic between
Pound and some back-ends have to be encrypted (in fact, all the back-end not
running on the loopback have to be encrypted).
Pound does not manage this "service" so I decided to modify it with the
code below(inserted in the thr_http function after the code resolving the
back-end) (in fact, I "copied" and adapted the pound code establishing the
connection between the client and pound)
The code below does not work correctly: the flow from Pound to the back-end
is correctly encrypted (the back-end unencrypted it correctly), but the flow
from the back-end to Pound is not unencrypted by my code.
I searched for information on BIO API on the net, on the news, in books
(Rescorla and Viega) and in the man page (man bio (3)) but I only found
minimal information on the BIO API
My question is:
Can somebody give me some hints on the OpenSSL BIO API so that:
. I can understand the code ;-), in particular, the affectation "be=bc"
(see below) (I would have intuitively written "be = BIO_push(bc, be)")
. I can find the problem
. I can understand why the line "be = bc" (see code below) is not a
memory leak ?
Thanks a lot
Titetluc
Code to manage https to back-end
For clarity, no test is done
-----begin code-----
// here the code to search the back-end
<snip>
if((be = BIO_new_socket(sock, 1)) == NULL) {
logmsg(LOG_WARNING, "BIO_new_socket server failed");
shutdown(sock, 2);
close(sock);
free_headers(headers);
clean_all();
pthread_exit(NULL);
}
BIO_set_close(be, BIO_CLOSE);
if(server_to > 0) {
BIO_set_callback_arg(be, (char *)&server_to);
BIO_set_callback(be, bio_callback);
}
// Code I inserted
if (*((ulong *)&from_host) != ntohl(INADDR_LOOPBACK)){
/* back-end not running on localhost */
SSL_CTX *c_ctx;
SSL *c_ssl;
c_ctx = SSL_CTX_new(SSLv23_method());
//SSL_CTX_set_verify(c_ctx, SSL_VERIFY_NONE, NULL);
c_ssl = SSL_new(c_ctx);
SSL_set_bio(c_ssl, be, be);
bc = BIO_new(BIO_f_ssl());
BIO_set_ssl(bc, c_ssl, BIO_CLOSE);
BIO_set_ssl_mode(bc, 1);
be = bc;
SSL_connect(c_ssl);
}
// End of code I inserted
if((bb = BIO_new(BIO_f_buffer())) == NULL) {
logmsg(LOG_WARNING, "BIO_new(buffer) server failed");
free_headers(headers);
clean_all();
pthread_exit(NULL);
}
BIO_set_buffer_size(bb, MAXBUF);
BIO_set_close(bb, BIO_CLOSE);
be = BIO_push(bb, be);
// here the code to read the client headers
<snip>
-----end code -----
|
|
|
|
|
Re: [Pound Mailing List] Pound and back-end with HTTPS
Adam Borowski <kilobyte(at)angband.pl> |
2006-09-08 15:41:41 |
[ FULL ]
|
On Fri, Sep 08, 2006 at 02:29:40PM +0200, titetluc titetluc wrote:[...]
Why bother with SSL? Adding new code like this is tedious and leaves plenty
of space for error; and encryption is a place where you don't want errors.
What about setting up a tunnel? It's as simple as ssh -L, and you can
choose from a multitude of other solutions.
[...]
|
|
|
Re: [Pound Mailing List] Pound and back-end with HTTPS
Jeffrey Brown <jbrown(at)camsys.com> |
2006-09-08 17:55:08 |
[ FULL ]
|
Hi,
Could you expand on this, or provide me a link to some place that has more
detail on how to use pound with SSL for encrypting traffic between pound and a
backend. This would be helpful if it were possible
Thanks!
--jeff
-----Adam Borowski <kilobyte(at)angband.pl> wrote: -----
To: pound(at)apsis.ch
From: Adam Borowski <kilobyte(at)angband.pl>
Date: 09/08/2006 09:41AM
Subject: Re: [Pound Mailing List] Pound and back-end with HTTPS
On Fri, Sep 08, 2006 at 02:29:40PM +0200, titetluc titetluc wrote:[...]
Why bother with SSL? Adding new code like this is tedious and leaves plenty
of space for error; and encryption is a place where you don't want errors.
What about setting up a tunnel? It's as simple as ssh -L, and you can
choose from a multitude of other solutions.
|
|
|
|
|
Re: [Pound Mailing List] Pound and back-end with HTTPS
Ted Dunning <tdunning(at)veoh.com> |
2006-09-08 18:06:04 |
[ FULL ]
|
Stunnel is commonly used to set up semi-permanent encrypted links. Ssh can
also be very useful.
I also find web search engines very useful things in finding documentation
on this sort of thing.
Here are some sample links that might help you:
Google("stunnel") => http://www.stunnel.org/
Google("ssh tunnel") => http://www.rzg.mpg.de/networking/tunnelling.html
On 9/8/06 8:55 AM, "Jeffrey Brown" <jbrown(at)camsys.com> wrote:
[...][...][...]
|
|
|
Re: [Pound Mailing List] Pound and back-end with HTTPS
"titetluc titetluc" <titetluc(at)gmail.com> |
2006-09-11 08:40:37 |
[ FULL ]
|
On 9/8/06, Adam Borowski <kilobyte(at)angband.pl> wrote:[...]
That's not the anwer I was waiting for ...
I considered other solutions such as stunnel ... but these solutions were
too expensive (memory, context switches, ...): I run Pound on a specific
platform with constraints (very very very few memory, few mass storage and
so on) so adding a new program on my platform is not the solution
I could formulate my question like this:
Could someone explain to me the code with the BIO API ?
but I think this kind of question has be asked on the openssl mailing list
;-)
Thanks anyway
[...]
|
|
|
|
|
Re: [Pound Mailing List] Pound and back-end with HTTPS
Falk Brockerhoff <noc(at)smartterra.de> |
2006-09-11 13:06:16 |
[ FULL ]
|
titetluc titetluc schrieb:
[...]
I think a tunnel created with ssh may be the best solutions for your
problem. SSH should already be shipped with your operating system, so
there is no need to install additional programs. It is an old and
proofed mechanism, selfmade modifications within the pound source code
aren't :-)
[...]
Regards,
Falk Brockerhoff
|
|
|
|
