7

After reading on the Pound website that SSL does not support virtual host names, this in fact seems quite strait forward and obvious to me now. I have a pound load-balancer I wish to terminate SSL connections with. If a web server behind it runs multiple sites based on host name, can I configure pound to use multiple SSL certificates for these different hosts.

The only way to do this I can think of, is to assign another IP to the load balancer for each site that wants to use SSL, and configure a certificate for that IP & port combination for a specific site.

Is any one doing this, would this work?

UPDATE

Ideally, if anyone can share a config example that would be the best solution so I can read about it. Thank you.

Community
  • 1
jwbensley
  • 4,122
  • 11
  • 57
  • 89
  • Not tried it myself but cannot see why it would not work with either a second IP or listening on a different port. – boburob Oct 11 '12 at 13:03
  • I don't want to go the different port route really though, because that won't work with people entering the custom URL. But thanks for the input though. Two heads are better than one! – jwbensley Oct 11 '12 at 13:29
  • Can you post your config please! If you are using only 1 IP!? Many thanks! GW – gwegl Sep 22 '16 at 11:30

2 Answers2

11

Looks like I was being too eager and not doing enough research before posting here. As Pound supports SSL SNI (for SSLv3), I can simply use multiple "Cert" statements to specify multiple certificate files and Pound will select the appropriate one for the incomming request.

[If a request comes into Pound over SSL for a domain that I am not hosting and thusly don't have a certificate for, Pound (for me at least) is just using the first cert in the list which causes the browser to show an SSL error].

SNI is supported by most modern browsers. In the last quarter of 2012, I don't think there too many IE 5 & 6 users for example sill around ;)

This is sample basic config that works for me;

ListenHTTPS
    Address my.public.facing.ip
    Port    443
    Cert    "/etc/ssl/certs/www.sslsite1.com.pem"
    Cert    "/etc/ssl/certs/www.sslsite2.com.pem"

    Service
        BackEnd
            Address 192.168.0.10 # A web server IP
            Port    80
        End
    End
End
jwbensley
  • 4,122
  • 11
  • 57
  • 89
1

I have Pound that serves several different SSL websites, just use separate ListenHTTPS for each different site that's all.

alexus
  • 12,342
  • 27
  • 115
  • 173