User "www-data" Group "www-data" LogLevel 1 Alive 30
ListenHTTPS Address 0.0.0.0 Port 443 HeadRemove "X-Forwarded-Proto" AddHeader "X-Forwarded-Proto: https" Disable SSLv3 Disable SSLv2 Cert "/etc/pound/www.1.se.pem" Cert "/etc/pound/www.2.se.pem" Cert "/etc/pound/www.3.se.pem" VerifyList "/etc/pound/ssl.pem" Ciphers "AES+kEDH:AESGCM+kEDH:ECDHE-RSA:ECDHE-ECDSA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" SSLHonorCipherOrder 1 Service HeadRequire “Host:.*(www.1.se|www.2.se|www.3.se).*” BackEnd Address 127.0.0.1 Port 80 End End End From: Scott McKeown [mailto:sc...@loadbalancer.org] Sent: den 23 oktober 2015 16:16 To: Pound Mailing List <pound@apsis.ch> Subject: Re: [Pound Mailing List] Connection reset on non-SSL sites instead of presenting first SSL mentioned in configuration Hello Freja, The HeadRequire should be what you require for this but can you send us over a quick example it maybe just your make up of the required match value. On 23 October 2015 at 14:37, Freja Borginger <freja.borgin...@portsit.se<mailto:freja.borgin...@portsit.se>> wrote: Hello, We’re hosting a bunch of both SSL and non-SSL enabled sites and we’re using pound for SSL-termination. The issue appears when someone visits a non-SSL enabled site by prepending https:// to the address. I’m expecting a connection reset or similar because this site doesn’t have SSL to begin with. But instead of that I get “This is an untrusted connection” in the browser and I see that pound serves up the first certificate it specified in the configuration. I tried adding HeadRequire in the Service section of the HTTPS section with all the SSL-enabled sites only, but it didn’t work as expected. If I understand it correctly those headers are sent encrypted, so they’re only sent after the encrypted connection has been fully established, and then it’s too late. I suppose this could only be done during the SNI negotiation phase when the server name is sent by the browser. Then I’d guess pound would check if the sent server name has a certificate. If it doesn’t then a connection reset or similar should happen. How would I achieve this? Or am I missing something? Thanks Freja Borginger IT -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)