Hello Freja, The HeadRequire should be what you require for this but can you send us over a quick example it maybe just your make up of the required match value.
On 23 October 2015 at 14:37, Freja Borginger <freja.borgin...@portsit.se> wrote: > Hello, > > > > We’re hosting a bunch of both SSL and non-SSL enabled sites and we’re > using pound for SSL-termination. > > > > The issue appears when someone visits a non-SSL enabled site by prepending > https:// to the address. > > I’m expecting a connection reset or similar because this site doesn’t have > SSL to begin with. > > But instead of that I get “This is an untrusted connection” in the browser > and I see that pound serves up the first certificate it specified in the > configuration. > > > > I tried adding HeadRequire in the Service section of the HTTPS section > with all the SSL-enabled sites only, but it didn’t work as expected. > > If I understand it correctly those headers are sent encrypted, so they’re > only sent after the encrypted connection has been fully established, and > then it’s too late. > > > > I suppose this could only be done during the SNI negotiation phase when > the server name is sent by the browser. Then I’d guess pound would check if > the sent server name has a certificate. If it doesn’t then a connection > reset or similar should happen. > > > > How would I achieve this? Or am I missing something? > > > > Thanks > > > > Freja Borginger > > IT > > > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)