Wrapping HTTP servers with SSL

Posted by Steve on Mon 14 Jan 2013 at 22:29

There are many times when you wish to add SSL around an existing HTTP-server, if you were running Apache you'd do that directly. But if you're running a node.js application, a Varnish cache, or other software you might be out of luck. Happily wrapping SSL around a HTTP-server is simple with pound.

We've looked at pound in the past, for load-balancing purposes, and load-balancing isn't the only thing you can do with it. Adding SSL support to an existing server is a very simple process too.

To get started you'll need to install the software:

# aptitude update
# aptitude install pound

Once installed you should edit the file /etc/default/pound to mark the service as startable. Then we need to configure the server to actually do something useful. The main configuration file is /etc/pound/pound.cfg.

This is the most basic setup you could configure:

User            "www-data"
Group           "www-data"
LogLevel        1
Alive           5
Control "/var/run/pound/poundctl.socket"

ListenHTTPS
        Address 0.0.0.0
        Port    443
        Cert "/etc/pound/ssl.pem"
        xHTTP           0
        Service
        BackEnd
            Address 127.0.0.1
            Port    80
        End
        End
End

This configures pound to listen on port 443, on all IP addresses, and forward the requests it receives to the webserver running on 127.0.0.1:80.

The only part you are liable to need to adjust is the path the the SSL certificate and key - in the example above we used /etc/pound/ssl.pem. You will need to point to your combined key, certificate (and optional bundle).

A valid SSL file will look something like this and should only be readable to the root user:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

If you prefer you can address your requests to a server on its external request, or even to multiple servers:

..
        BackEnd
            Address 127.0.0.1
            Port    80
        End
        Service
        BackEnd
            Address 127.0.0.1
            Port    81
        End
..

Using pound this way is very simple, but you might consider a more heavyweight approach in the future:

• apache, lighttpd, & nginx each allow you to do something similar.
  • You could also combine SSL with caching - something that pound avoids.

Still despite the simplicity using pound in this fashion is painless, quick, and simple to setup.

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

• http://www.debian-administration.org/article/680/Wrapping_HTTP_servers_with_SSL

This article is copyright 2013 Steve - please ask for permission to republish or translate.