/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-09 / Forwarding to SSL host fails with 500 error

[ << ] [ >> ]

[ Strange pound message / "Michelle ... ] [ Hello and question about OWA security / ... ]

Forwarding to SSL host fails with 500 error
"Michelle Dupuis" <support(at)ocg.ca>		 2006-09-30 15:36:46 [ FULL ] 
I had pound working successfully, accepting inbound HTTP on port 80 and
forwarding to my internal server listening for HTTP on port 80.  I have now
switched to HTTPS, and have a problem.
 
Internally, I can browse to my internal site using
https://site.intdomain.com, where it
listens for HTTPS on port 443.  (Note
that I generated a certificate from my own CA).  I accepted the certificate
into my browser when prompted, and I can successfully view my site.  
 
I setup pound to listen on port 443 now, and forward to port 443 internally,
all for HTTPS.  I also create a certificate for the pound server, which is
loading fine when pound starts.  The problem is, when someone externally
browses to my site https://site.extdomain.com/mydir
they receive a 500
error.  I confirmed using iptables logging that the pound server is getting
the 443 connection inbound, and then creating a 443 connection outbound to
my internal server.  So connectivity looks good!
 
However, the log on my internal web server (IIS) shows not connection
attempts from pound!  I'm stumped!  My IIS does however show my connection
attempts from my laptop on my LAN (where I accepted the certificate).
So....
 
1. If I can connect from a web browser on my LAN to the internal site (HTTPS
on 443), why can't pound connect?
2. I had to accept my internally generated certificate into my laptop's
browser to allow me to see my site.  Does pound somehow have to import that
certificate to be able to reach the internal server?  (And how would I do
so)
3. Should my internal web server show a connection attempt even if pound has
a problem with the certificate?  (I'm running latest IIS as server)
4. Any other ideas?
 
Many thanks!
MD
 
-------------------------
 
my pound.cfg (disguised):

 
# Run in foreground for testing (0)
Daemon 1
 
# Capture extended info for testing
LogLevel 3
 

#---------------------------------------------------------------------------
---------
# Listeners for webmail on HTTPS
#---------------------------------------------------------------------------
---------
ListenHTTPS
  Address 1.2.3.4
  Port    443
  Cert "/data/ssl-cert/chain-certificate.pem"
  # Don't allow PUT / DELETE
  xHTTP 0
  # Enable WebDAV commands required by Exchange OWA
  WebDAV 1
  # Enable rpc over HTTP for outlook over RPC - still in testing
  rpcHTTP 1
 

  Service
    URL  "/exchange.*"
    HeadRequire "Host:.*xx.domain.ca.*"
    BackEnd
      Address 172.31.254.31
      Port    443
      Timeout 15
    End
  End
 
  Service
    URL  "/exchweb.*"
    HeadRequire "Host:.*xx.domain.ca.*"
    BackEnd
      Address 172.31.254.31
      Port    443
      Timeout 15
    End
  End
 
End
Attachments:  
text.html text/html 6049 Bytes
Re: [Pound Mailing List] Forwarding to SSL host fails with 500 error
"Simon Matter" <simon.matter(at)ch.sauter-bc.com>		 2006-09-30 16:46:22 [ FULL ] 
> I had pound working successfully, accepting inbound HTTP on port 80
and[...]

Hi,

Pound only speaks http to it's backends. Now you have several options:

1) let your webserver accept http requests from pound. In a switched
network nobody should be able to sniff traffic so it's still safe.

2) use something like stunnel to translate your http requests to https.

Simon
[...]
RE: Forwarding to SSL host fails with 500 error
"Michelle Dupuis" <support(at)ocg.ca>		 2006-09-30 17:00:15 [ FULL ] 
A little more info, I'm trying to connect as follows:

client <--------> pound <---------> webserver
 
Both connections are SSL (I know it add overhead to have 2 SSL connections).
My syslog also shows this error:
 
Sep 30 10:57:27 firewall pound: response error read from :443: Connection
timed out
 
 
Why would it timeout?  I confirmed that I can access the website from within
the LAN  (https on port 443).
 
MD

  _____  

From: Michelle Dupuis [mailto:support(at)ocg.ca] 
Sent: Saturday, September 30, 2006 9:37 AM
To: 'pound(at)apsis.ch'
Subject: Forwarding to SSL host fails with 500 error


I had pound working successfully, accepting inbound HTTP on port 80 and
forwarding to my internal server listening for HTTP on port 80.  I have now
switched to HTTPS, and have a problem.
 
Internally, I can browse to my internal site using
https://site.intdomain.com, where it
listens for HTTPS on port 443.  (Note
that I generated a certificate from my own CA).  I accepted the certificate
into my browser when prompted, and I can successfully view my site.  
 
I setup pound to listen on port 443 now, and forward to port 443 internally,
all for HTTPS.  I also create a certificate for the pound server, which is
loading fine when pound starts.  The problem is, when someone externally
browses to my site https://site.extdomain.com/mydir
they receive a 500
error.  I confirmed using iptables logging that the pound server is getting
the 443 connection inbound, and then creating a 443 connection outbound to
my internal server.  So connectivity looks good!
 
However, the log on my internal web server (IIS) shows not connection
attempts from pound!  I'm stumped!  My IIS does however show my connection
attempts from my laptop on my LAN (where I accepted the certificate).
So....
 
1. If I can connect from a web browser on my LAN to the internal site (HTTPS
on 443), why can't pound connect?
2. I had to accept my internally generated certificate into my laptop's
browser to allow me to see my site.  Does pound somehow have to import that
certificate to be able to reach the internal server?  (And how would I do
so)
3. Should my internal web server show a connection attempt even if pound has
a problem with the certificate?  (I'm running latest IIS as server)
4. Any other ideas?
 
Many thanks!
MD
 
-------------------------
 
my pound.cfg (disguised):

 
# Run in foreground for testing (0)
Daemon 1
 
# Capture extended info for testing
LogLevel 3
 

#---------------------------------------------------------------------------
---------
# Listeners for webmail on HTTPS
#---------------------------------------------------------------------------
---------
ListenHTTPS
  Address 1.2.3.4
  Port    443
  Cert "/data/ssl-cert/chain-certificate.pem"
  # Don't allow PUT / DELETE
  xHTTP 0
  # Enable WebDAV commands required by Exchange OWA
  WebDAV 1
  # Enable rpc over HTTP for outlook over RPC - still in testing
  rpcHTTP 1
 

  Service
    URL  "/exchange.*"
    HeadRequire "Host:.*xx.domain.ca.*"
    BackEnd
      Address 172.31.254.31
      Port    443
      Timeout 15
    End
  End
 
  Service
    URL  "/exchweb.*"
    HeadRequire "Host:.*xx.domain.ca.*"
    BackEnd
      Address 172.31.254.31
      Port    443
      Timeout 15
    End
  End
 
End
Attachments:  
text.html text/html 7843 Bytes
Re: [Pound Mailing List] RE: Forwarding to SSL host fails with 500 error
"Simon Matter" <simon.matter(at)ch.sauter-bc.com>		 2006-09-30 17:22:00 [ FULL ] 
> A little more info, I'm trying to connect as follows:[...]

Because pound speaks http to your webserver, not https. Your webserver
expects https on port 443, while pound does http to your webservers port
443.

Pound does never speak SSL to it's backends, no matter which port you choose.

Simon
[...]
MailBoxer