Trouble with SSH backend / Steve Nolan <snolan@virl.bc.ca>

Hi, all.

I've been working away at this fruitlessly for the entire afternoon --
I hate to, but I think it's time to ask for help.

I have an existing pound 2.2 installation which works beautifully with
straight HTTP. I've just built a new pound 2.5 on the same Ubuntu
10.04LTS box to take advantage of the SSH backends feature. However, I
can't seem to get the client to engage in SSL negotiation with the proxy.

Even with the https:// prefix in the URL, and a listening port of 443 on
the proxy, the communication from client to proxy consists of a single
request, in cleartext, to port 443 where it's silently (unlogged)
discarded by the proxy, I suppose because it wants SSL communication on
that port? I've only tested with Windows browser clients (Firefox 3.5
and IE8) at this point, both with proxy settings manually configured to
point to the listening ports of my pound 2.5 install.

I have a self-signed cert installed for testing, and it works fine with
(for example) stunnel.

I have the strong feeling that I'm missing the blindingly obvious, here.
Can anyone give me a clue?  I love the software and I'd hate to have to 
switch to something else because I can't see what's right in front of my 
nose..  Thanks so much for any suggestions anyone can offer.

My config, in part:


ListenHTTP
          Address 206.108.209.193
          Port    3381
          xHTTP   3
End

ListenHTTPS
          Address 206.108.209.193
          Port    443
          xHTTP   3
          Cert    "/etc/pound/mycert.pem"

          Service
                  HeadRequire "Host:.*ec.virl.bc.ca.*"
                  BackEnd
                          Address ec.virl.bc.ca
                          Port 443
                          HTTPS
                  End
          End
End

Service
          URL "http://contentcafe.btol.com/*"
          BackEnd
                  Address contentcafe.btol.com
                  Port 80
          End
End

Service
          URL "http://msgs.virl.bc.ca/denied.html"
          BackEnd
                  Address msgs.virl.bc.ca
                  Port    80
          End
End

Service
          Redirect "http://msgs.virl.bc.ca/denied.html"
End

RE: [Pound Mailing List] Trouble with SSH backend
Joe Gooch <mrwizard(at)k12system.com>

2010-07-19 15:41:22

[ FULL ]

Pound is not a proxy server.  (Like Squid)
Pound is a load balancer, or reverse-proxy.

As such, you can't set your browser proxy settings to pound and expect it to
work.


Instead, you could have your config below, but remove the http:// and hostname
from the URL matching lines, moving the hostname into a headrequire host match.
 When you open a browser without proxy settings, and go to https://206.108.209.193, it should take you
to the line that matches.  If contentcafe.btol.com resolves to 206.108.209.193,
you could use https://contentcafe.btol.com as well,
since the headrequire would point you to the proper backend.


Pound is used for making a hybrid/composite web site from multiple backends/url
patterns; not for creating a proxy that can answer browser requests for full
URL's.

Joe
[...]