Skip navigation

HTTPS reverse proxy to multiple unique hosts

This is a guide on to setup pound proxy to act as a reverse proxy for multiple https websites using a wildcard ssl certificate.

I am configuring this on an ubuntu machine, I had it originally setup the reverse proxying with nginx but that was without using ssl. When I tried to implement the nginx reverse ssl reverse proxy I was only getting access to the first server configured because of a design flaw in HTTPS. HTTP reverse proxies work by forwarding based on the “Host: ” field in the header but because this is encrypted it can not make the proper forwarding condition. I then tried to setup squid to do this but I couldn’t get it to build with the ssl support. After doing a quick Google search I then found a proxy called pound.

When pound is configured to use https it is expecting the certificate in pem format which means it wants the wildcard certificate and the certificate private key file in one file as well as the intermediary certificates as well if needed. An issue with go-daddy certs is that they are sometimes not be trusted by browsers, to avoid this error the intermediary certificate chain must be included in the pem file.

Pound is able to handle multiple ssl sites pointing to it because it handles the whole ssl transaction on its end then forwards to the receptive web server based on the header Host value. This also means that connections from the proxy to the web servers is over http and not secure. You can use other measures to secure traffic between internal hosts and ease the paranoia.

The diagram below is test environment setup

||—–(192.168.1.5)Proxy.mydomain.com(1.2.3.4) —– INTERNET
||
||————-Test1.mydomain.com(192.168.1.11)
||
||————-Test2.mydomain.com(192.168.1.12)
||
||————-Test3.mydomain.com(192.168.1.13)

All your externalo DNS records for Test1, Test2 and Test3 will point to 1.2.3.4. Then you can either have your internal dns configured or the /etc/hthosts file to resolv the full domain nnames to teh right IP’s so that the right site is forwarded to the rigth webserver. Below is a copy of the config file that was used in /etc/pound/pound.cfg.

apt-get install pound
echo “1″ > /etc/defaults/pound
edit the pound.cfg file to match the format of pound.cfg like below
service pound start


/etc/pound/pound.cfg sample
## Minimal sample pound.cfg
######################################################################
## global options:
User        "www-data"
Group        "www-data"
#RootJail    "/chroot/pound"
## Logging: (goes to syslog by default)
##    0    no logging
##    1    normal
##    2    extended
##    3    Apache-style (common log format)
LogLevel    1
## check backend every X secs:
Alive        30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine    ""

######################################################################
## listen, redirect and ... to:
# Here is a more complex example: assume your static images (GIF/JPEG) are to be served from  a  single  back-end  192.168.0.10.  In
#       addition,  192.168.0.11  is  to  do  the  hosting for www.myserver.com with URL-based sessions, and 192.168.0.20 (a 1GHz PIII) and
#       192.168.0.21 (800Mhz Duron) are for all other requests (cookie-based sessions).  The logging will be done by the back-end servers.
#       The configuration file may look like this:
# Main listening ports
ListenHTTPS
  Address 1.2.3.4
  Port    443
  Cert    "/etc/ssl/certs/mydomain.com.pem"


  Service
    HeadRequire "Host:.*test1.mydomain.com.*"
    BackEnd
      Address 192.168.1.11
      Port    80
    End
  End

  Service
    HeadRequire "Host:.*test2.mydomain.com.*"
    BackEnd
      Address 192.168.1.12
      Port    80
    End
  End

  Service
    HeadRequire "Host:.*test3.mydomain.com.*"
    BackEnd
      Address 192.168.1.13
      Port    80
    End
  End
End
About these ads

4 Comments

  1. Howdy! I could have sworn I’ve been to this website before but after checking through some of the post I realized it’s new to me. Anyhow, I’m definitely glad I found it and I’ll be bookmarking and checking back frequently!

  2. Fantastic beat ! I would like to apprentice whilst you amend your site, how can i subscribe for a weblog website? The account helped me a appropriate deal. I had been a little bit acquainted of this your broadcast offered vibrant clear idea

  3. Excellent article! We will be linking to this particularly great post on our website.
    Keep up the good writing.

  4. Thanks… just what i need to setup Pound on my ongoing attempt to create a home data center


One Trackback/Pingback

  1. […] Pound Reverse SSL Proxy for Mutliple Servers | Tech Blog – February 7th ( tags: linux pound proxy reverse proxy ssl ) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: