HTTPS reverse proxy to multiple unique hosts
This is a guide on to setup pound proxy to act as a reverse proxy for multiple https websites using a wildcard ssl certificate.
I am configuring this on an ubuntu machine, I had it originally setup the reverse proxying with nginx but that was without using ssl. When I tried to implement the nginx reverse ssl reverse proxy I was only getting access to the first server configured because of a design flaw in HTTPS. HTTP reverse proxies work by forwarding based on the “Host: ” field in the header but because this is encrypted it can not make the proper forwarding condition. I then tried to setup squid to do this but I couldn’t get it to build with the ssl support. After doing a quick Google search I then found a proxy called pound.
When pound is configured to use https it is expecting the certificate in pem format which means it wants the wildcard certificate and the certificate private key file in one file as well as the intermediary certificates as well if needed. An issue with go-daddy certs is that they are sometimes not be trusted by browsers, to avoid this error the intermediary certificate chain must be included in the pem file.
Pound is able to handle multiple ssl sites pointing to it because it handles the whole ssl transaction on its end then forwards to the receptive web server based on the header Host value. This also means that connections from the proxy to the web servers is over http and not secure. You can use other measures to secure traffic between internal hosts and ease the paranoia.
The diagram below is test environment setup
||—–(192.168.1.5)Proxy.mydomain.com(1.2.3.4) —– INTERNET
||
||————-Test1.mydomain.com(192.168.1.11)
||
||————-Test2.mydomain.com(192.168.1.12)
||
||————-Test3.mydomain.com(192.168.1.13)
All your externalo DNS records for Test1, Test2 and Test3 will point to 1.2.3.4. Then you can either have your internal dns configured or the /etc/hthosts file to resolv the full domain nnames to teh right IP’s so that the right site is forwarded to the rigth webserver. Below is a copy of the config file that was used in /etc/pound/pound.cfg.
apt-get install pound
echo “1” > /etc/defaults/pound
edit the pound.cfg file to match the format of pound.cfg like below
service pound start
/etc/pound/pound.cfg sample
## Minimal sample pound.cfg
######################################################################
## global options:
User "www-data"
Group "www-data"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 1
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine ""
######################################################################
## listen, redirect and ... to:
# Here is a more complex example: assume your static images (GIF/JPEG) are to be served from a single back-end 192.168.0.10. In
# addition, 192.168.0.11 is to do the hosting for www.myserver.com with URL-based sessions, and 192.168.0.20 (a 1GHz PIII) and
# 192.168.0.21 (800Mhz Duron) are for all other requests (cookie-based sessions). The logging will be done by the back-end servers.
# The configuration file may look like this:
# Main listening ports
ListenHTTPS
Address 1.2.3.4
Port 443
Cert "/etc/ssl/certs/mydomain.com.pem"
Service
HeadRequire "Host:.*test1.mydomain.com.*"
BackEnd
Address 192.168.1.11
Port 80
End
End
Service
HeadRequire "Host:.*test2.mydomain.com.*"
BackEnd
Address 192.168.1.12
Port 80
End
End
Service
HeadRequire "Host:.*test3.mydomain.com.*"
BackEnd
Address 192.168.1.13
Port 80
End
End
End
Tech Blog 