Wrapping HTTP servers with SSL
Posted by Steve on Mon 14 Jan 2013 at 22:29
There are many times when you wish to add SSL around an existing HTTP-server, if you were running Apache you'd do that directly. But if you're running a node.js application, a Varnish cache, or other software you might be out of luck. Happily wrapping SSL around a HTTP-server is simple with pound.
We've looked at pound in the past, for load-balancing purposes, and load-balancing isn't the only thing you can do with it. Adding SSL support to an existing server is a very simple process too.
To get started you'll need to install the software:
# aptitude update # aptitude install pound
Once installed you should edit the file /etc/default/pound to mark the service as startable. Then we need to configure the server to actually do something useful. The main configuration file is /etc/pound/pound.cfg.
This is the most basic setup you could configure:
User "www-data" Group "www-data" LogLevel 1 Alive 5 Control "/var/run/pound/poundctl.socket" ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/ssl.pem" xHTTP 0 Service BackEnd Address 127.0.0.1 Port 80 End End End
This configures pound to listen on port 443, on all IP addresses, and forward the requests it receives to the webserver running on 127.0.0.1:80.
The only part you are liable to need to adjust is the path the the SSL certificate and key - in the example above we used /etc/pound/ssl.pem. You will need to point to your combined key, certificate (and optional bundle).
A valid SSL file will look something like this and should only be readable to the root user:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
If you prefer you can address your requests to a server on its external request, or even to multiple servers:
.. BackEnd Address 127.0.0.1 Port 80 End Service BackEnd Address 127.0.0.1 Port 81 End ..
Using pound this way is very simple, but you might consider a more heavyweight approach in the future:
- apache, lighttpd, & nginx each allow you to do something similar.
- You could also combine SSL with caching - something that pound avoids.
Still despite the simplicity using pound in this fashion is painless, quick, and simple to setup.