Re: [Pound Mailing List] How to configure Pound proxy to pass requests to .well-known directory?

Tue, 05 Dec 2017 18:44:32 -0800 

Your own link provided the solution.

https://serverfault.com/questions/886583/how-to-configure-pound-proxy-to-pass-requests-to-well-known-directory

Which is pretty close to what I already posted, for nginx, and for pound.

And yes, passing requests directly to a backend server is… exactly… what 
pound.. does…. Sooo… Again, not really seeing the problem.   Not sure what else 
you’re looking for.


If Apache and Pound are on the same system, then you’re probably just using 
pound to redirect ports 80+443 to apache – sooo, there’s no problem.  Pound 
will redirect ALL requests, including .well-known.  Just leave your HTTPS 
listener out of the config until you actually have a certificate to use, make 
sure the letsencrypt tool is writing into the webroot/.well-known/ folder, and 
you’re good to go.

If Apache and Pound aren’t on the same system, then you shouldn’t be running 
letsencrypt on the apache server, you should be running it on the POUND server, 
because that’s where the certificate needs to be.  In which case you configure 
pound to pass .well-known to a webserver, or the –standalone mode of the 
letsencrypt tool, running ON the pound server, to handle the challenge.

Unless you’re doing https -> pound -> https -> apache in which case you need 
multiple certificates, only one of which needs to be publicly trusted.





------
 
Joe


On 12/5/17, 9:17 PM, "Alan" <[email protected]> wrote:

    I can't just forward this as the system where we are trying Pound on
    requests Let's Encrypt certificate at early stages during creation of
    virtual server on port 80 and naturally doesn't find anything there,
    because Apache listens to port 8080. And in our case it is possible to
    create entries in in the Pound configuration file and restart it only
    after Let's Encrypt certificate is requested. And, unfortunately,
    Let's Encrypt always looks for verification file at port 80 like, for
    example:
    
    
http://sub.mydomain.com/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw
    
    It is not possible for us to make Let's Encrypt to look for verification 
file at
    
    
http://sub.mydomain.com:8080/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw
    
    So it would be wonderful if Pound allowed just passing requests to
    .well-known directly to Apache. At least that's how it's done on nginx
    according to the accepted answers on
    
https://serverfault.com/questions/768509/lets-encrypt-with-an-nginx-reverse-proxy
    or 
https://serverfault.com/questions/886583/how-to-configure-pound-proxy-to-pass-requests-to-well-known-directory.
    OR you can take a look at the relevant discussion and offered
    solutions on the Let's Encrypt website for nginx on
    
https://community.letsencrypt.org/t/404-on-well-known-acme-challenge/15565/15
    Unfortunately, there is no solution offered for Pound.
    
    There could be lot's of other use cases when bypassing is preferable,
    so I really hope Pound can do that.
    
    On Tue, Dec 5, 2017 at 3:15 PM, Joe Gooch <[email protected]> 
wrote:
    > Pound doesn’t have its own web server – you can’t give it a folder to read
    > static files from.
    >
    >
    >
    > You are correct that you can define some error templates, which it outputs
    > verbatim to the stream..
    >
    >
    >
    > If you wanted to be tricky I guess you could define a service with no
    > backends, and then repurpose the 503 error response.
    >
    >
    >
    > Or you run the letsencrypt client itself on port 81, and just leave the
    > backend running. (--standalone mode?)
    >
    >
    >
    > ------
    >
    >
    >
    > Joe
    >
    >
    >
    >
    >
    > From: Christian COMMARMOND <[email protected]>
    > Reply-To: "[email protected]" <[email protected]>
    > Date: Tuesday, December 5, 2017 at 6:05 PM
    > To: "[email protected]" <[email protected]>
    > Subject: Re: [Pound Mailing List] How to configure Pound proxy to pass
    > requests to .well-known directory?
    >
    >
    >
    > Following Joe advice,
    >
    >
    >
    > I did not install apache or nginx on the pound server... It itself is able
    > to serve its own error page... So, I am quite sure that the server has the
    > minimum needed to serve the .well_known files.
    >
    > (At least, I don't remember...)
    >
    >
    >
    > Best regards to all.
    >
    >
    >
    >
    >
    >
    >
    > Le 5 déc. 2017 23:38, "Joe Gooch" <[email protected]> a écrit :
    >
    > I’m not sure I understand the problem.
    >
    > You can do any number of URL based redirects to whatever ports you wish.
    >
    > Why isn’t a forward to apache sufficient for your needs?  Lets Encrypt 
just
    > needs a file in that folder, correct?
    >
    > Another option is to run a local webserver (nginx, etc) on the pound 
server,
    > on a separate port (i.e. 81), and redirect .well-known URLS to that 
server.
    > (So you can run the perl script, or whatever)
    >
    >
    >
    > ------
    > Joe
    >
    >
    >
    >
    > On 12/5/17, 4:14 PM, "Alan" <[email protected]> wrote:
    >
    >     Hi,
    >
    >     I've posted my question on
    >
    > 
https://serverfault.com/questions/886583/how-to-configure-pound-proxy-to-pass-requests-to-well-known-directory,
    >     however it seems not many people are well familiar with Pound, so I've
    >     found out I needed to subscribe to this mailing list to get support.
    >
    >     We have Apache running behind Pound and so we are having troubles with
    >     Let's Encrypt requests and renewals, and need to pass requests to the
    >     .well-known directory and its sub-directories directly to Apache port.
    >
    >     Could anyone explain how to do this on Pound? Thanks!
    >
    >     --
    >     To unsubscribe send an email with subject unsubscribe to 
[email protected].
    >     Please contact [email protected] for questions.
    >
    >
    
    --
    To unsubscribe send an email with subject unsubscribe to [email protected].
    Please contact [email protected] for questions.
    

N�����r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z��+��+�笶*'

Reply via email to