/ Zope / Apsis / Pound Mailing List / Archive / 2011 / 2011-04 / SSL for Multiple Hosts

[ << ] [ >> ]

[ pound with 7 servers / Adrian Padilla ... ] [ pound-2.6c multiple SSL certificates, comparing ... ]

SSL for Multiple Hosts
"W. Jeffrey Brown" <JBROWN(at)ALLHEADLINENEWS.COM>		 2011-04-05 19:42:32 [ FULL ] 
I've looked all over and can't find this answer

We have pound running and passing traffic off for two hosts. Each host has it's
own set of servers.

What I need to know is what the proper configuration would be for each host to
have its own ssl cert. 

Here is a sanitized version of the pound config that we are using.


# Replace "localhost" by your IP or host name
ListenHTTPS
    Address 0.0.0.0
    Port 443
    Cert "/opt/pound/ssl/server.pem"
    Client 15
    RewriteLocation 0

    Service
        BackEnd
            Address WWW.XXX.YYY.ZZZ
            Port 80
            Timeout 15
        End
    End
End

ListenHTTP
    Address 0.0.0.0
    Port 80
    Client 15
    RewriteLocation 0

    Service
        HeadRequire "Host:.*domain1.com.*"

        BackEnd
            Address 192.168.99.196
                      Port 80
                      Timeout 15
        End
        BackEnd
            Address 192.168.99.197
                      Port 80
                      Timeout 15
        End
    End

    Service
        HeadRequire "Host:.*domain2.com.*"

        BackEnd
            Address 192.168.99.198
                      Port 80
                      Timeout 15
        End
        BackEnd
            Address 192.168.99.199
                      Port 80
                      Timeout 15
        End
        BackEnd
            Address 192.168.99.200
                      Port 80
                      Timeout 15
        End
    End
End
Re: [Pound Mailing List] SSL for Multiple Hosts
Dave Steinberg <dave(at)redterror.net>		 2011-04-05 21:12:46 [ FULL ] 
On 4/5/2011 1:42 PM, W. Jeffrey Brown wrote:[...]

There's 2 easy choices:

1) Get 1 cert with both CN fields on it.  Most SSL providers offer these 
for not much more (I have one that allows 5 names on 1 cert from Godaddy 
- it wasn't expensive).

2) Move them to different IPs and then update your ListenHTTP/HTTPS 
blocks, specifying the different certs for each IP.

Regards,[...]
RE: [Pound Mailing List] SSL for Multiple Hosts
Joe Gooch <mrwizard(at)k12system.com>		 2011-04-05 21:25:16 [ FULL ] 
3) As of Pound 2.6a, you can use SNI:
             Please note that multiple Cert directives are  allowed  if  your
              OpenSSL version supports SNI. In such cases, the first directive
              is the default certificate, with additional certificates used if
              the client requests them.

   If you do specify multiple Cert directives, the subject of the certificate
will be compared against the hostname the browser is requesting.  If you have a
cert for www.domain.org, it will use that if the client asks for
www.domain.org.  (Or if you have a cert for *.domain.org, that would match as
well)


Joe
[...]
MailBoxer