Wrapping HTTP servers with SSL
Posted by Steve on Mon 14 Jan 2013 at 22:29
There are many times when you wish to add SSL around an existing HTTP-server, if you were running Apache you'd do that directly. But if you're running a node.js application, a Varnish cache, or other software you might be out of luck. Happily wrapping SSL around a HTTP-server is simple with pound.
We've looked at pound in the past, for load-balancing purposes, and load-balancing isn't the only thing you can do with it. Adding SSL support to an existing server is a very simple process too.
To get started you'll need to install the software:
# aptitude update # aptitude install pound
Once installed you should edit the file /etc/default/pound to mark the service as startable. Then we need to configure the server to actually do something useful. The main configuration file is /etc/pound/pound.cfg.
This is the most basic setup you could configure:
User "www-data"
Group "www-data"
LogLevel 1
Alive 5
Control "/var/run/pound/poundctl.socket"
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/ssl.pem"
xHTTP 0
Service
BackEnd
Address 127.0.0.1
Port 80
End
End
End
This configures pound to listen on port 443, on all IP addresses, and forward the requests it receives to the webserver running on 127.0.0.1:80.
The only part you are liable to need to adjust is the path the the SSL certificate and key - in the example above we used /etc/pound/ssl.pem. You will need to point to your combined key, certificate (and optional bundle).
A valid SSL file will look something like this and should only be readable to the root user:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
If you prefer you can address your requests to a server on its external request, or even to multiple servers:
..
BackEnd
Address 127.0.0.1
Port 80
End
Service
BackEnd
Address 127.0.0.1
Port 81
End
..
Using pound this way is very simple, but you might consider a more heavyweight approach in the future:
- apache, lighttpd, & nginx each allow you to do something similar.
- You could also combine SSL with caching - something that pound avoids.
Still despite the simplicity using pound in this fashion is painless, quick, and simple to setup.
Debian also (now) has stud for handling the same situation, high performance termination of SSL connections for http servers. stud also supports passing the IP address to haproxy using their "proxy" protocol.
A quick look around suggests that all these can handle fairly meaty work loads, but those trying to scale it to large numbers are preferring patched versions of stud. I look forward to having enough traffic to have to worry about such things.
[ Parent | Reply to this comment ]
[ Send Message ]
One problem with this is that everything then shows up in your logs as being from "localhost". This can be worked-around with some pound settings to remove existing X-forwarded-for headers, or to add to an existing one, and then you need to get Apache (or Node.js or whatever you're pointing at for the back-end web-server) to log this as well as the normal items in the web logs.
I can't remember 100% the settings for this, but I thought it is worth pointing out!
[ Parent | Reply to this comment ]