Wrapping HTTP servers with SSL

Posted by Steve on Mon 14 Jan 2013 at 22:29

Tags: , ,

There are many times when you wish to add SSL around an existing HTTP-server, if you were running Apache you'd do that directly. But if you're running a node.js application, a Varnish cache, or other software you might be out of luck. Happily wrapping SSL around a HTTP-server is simple with pound.

We've looked at pound in the past, for load-balancing purposes, and load-balancing isn't the only thing you can do with it. Adding SSL support to an existing server is a very simple process too.

To get started you'll need to install the software:

# aptitude update
# aptitude install pound

Once installed you should edit the file /etc/default/pound to mark the service as startable. Then we need to configure the server to actually do something useful. The main configuration file is /etc/pound/pound.cfg.

This is the most basic setup you could configure:

User            "www-data"
Group           "www-data"
LogLevel        1
Alive           5
Control "/var/run/pound/poundctl.socket"

ListenHTTPS
        Address 0.0.0.0
        Port    443
        Cert "/etc/pound/ssl.pem"
        xHTTP           0
        Service
        BackEnd
            Address 127.0.0.1
            Port    80
        End
        End
End

This configures pound to listen on port 443, on all IP addresses, and forward the requests it receives to the webserver running on 127.0.0.1:80.

The only part you are liable to need to adjust is the path the the SSL certificate and key - in the example above we used /etc/pound/ssl.pem. You will need to point to your combined key, certificate (and optional bundle).

A valid SSL file will look something like this and should only be readable to the root user:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

If you prefer you can address your requests to a server on its external request, or even to multiple servers:

..
        BackEnd
            Address 127.0.0.1
            Port    80
        End
        Service
        BackEnd
            Address 127.0.0.1
            Port    81
        End
..

Using pound this way is very simple, but you might consider a more heavyweight approach in the future:

  • apache, lighttpd, & nginx each allow you to do something similar.
    • You could also combine SSL with caching - something that pound avoids.

Still despite the simplicity using pound in this fashion is painless, quick, and simple to setup.

 

 


Posted by legooolas (137.222.xx.xx) on Tue 15 Jan 2013 at 10:38
> [pound to redirect https (443) to localhost http (80)]

One problem with this is that everything then shows up in your logs as being from "localhost". This can be worked-around with some pound settings to remove existing X-forwarded-for headers, or to add to an existing one, and then you need to get Apache (or Node.js or whatever you're pointing at for the back-end web-server) to log this as well as the normal items in the web logs.

I can't remember 100% the settings for this, but I thought it is worth pointing out!

[ Parent | Reply to this comment ]

Posted by simonw (84.45.xx.xx) on Fri 18 Jan 2013 at 09:43
[ View Weblogs ]
stunnel is a generic https tunnel terminator, it supports a proxy mode where the IP address forwarded for use with haproxy.

Debian also (now) has stud for handling the same situation, high performance termination of SSL connections for http servers. stud also supports passing the IP address to haproxy using their "proxy" protocol.

A quick look around suggests that all these can handle fairly meaty work loads, but those trying to scale it to large numbers are preferring patched versions of stud. I look forward to having enough traffic to have to worry about such things.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 486 votes ~ 5 comments )