Freja,
There's not much you can do here. SSL binds on the port explicitly and handles all traffic, unless you use the SSL name protocol (SNI). It sounds like you don't want that. So the "Head Require" in an HTTPS rule set is just perfunctory. It really has no control over connections. SSL is a blind tunneling protocol and if someone connects to port 443 they will get whatever is there, regardless of their host header. Pound will reject non-matching host headers, if they are present. You might find some older browsers that do not send that host header in SSL. Either you will have to constrain your Head Require rules in the HTTPS rules to explicitly enumerate the https-allowed hosts, or you will need to change the backends to check their host headers and reject. The regex rules should always start with "^" and end with "$". These are the start and end indicators in Regex speak. Otherwise, your rules will match anywhere in the host header string, such as http://i.like.to.eat.zombie.flesh.www.1.se.fred.flintstone.and.barney.are.lo vers, or even this: http://i.like.to.spewww.1.see.in.the.dark -- jake From: Freja Borginger [mailto:freja.borgin...@portsit.se] Sent: Friday, October 23, 2015 6:38 AM To: pound@apsis.ch Subject: [Pound Mailing List] Connection reset on non-SSL sites instead of presenting first SSL mentioned in configuration Hello, We're hosting a bunch of both SSL and non-SSL enabled sites and we're using pound for SSL-termination. The issue appears when someone visits a non-SSL enabled site by prepending https:// to the address. I'm expecting a connection reset or similar because this site doesn't have SSL to begin with. But instead of that I get "This is an untrusted connection" in the browser and I see that pound serves up the first certificate it specified in the configuration. I tried adding HeadRequire in the Service section of the HTTPS section with all the SSL-enabled sites only, but it didn't work as expected. If I understand it correctly those headers are sent encrypted, so they're only sent after the encrypted connection has been fully established, and then it's too late. I suppose this could only be done during the SNI negotiation phase when the server name is sent by the browser. Then I'd guess pound would check if the sent server name has a certificate. If it doesn't then a connection reset or similar should happen. How would I achieve this? Or am I missing something? Thanks Freja Borginger IT
