keithalexander
asked on
HTTPS backend with Pound reverse proxy
I'm trying to configure Pound Reverse Proxy with a HTTPS connection to a Webserver in the backend. Unfortunately it does not work. If I use unencrypted HTTP, it works. Syslog says:
Jun 8 11:11:39 transfer pound: BIO_do_handshake with XXX.XXX.XXX.XXX:443 failed: error:00000000:lib(0):func (0):reason (0)
openssl s_client -connect example.com:443 says "CONNECTION OK".
The used config part of Pound:
ListenHTTPS
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address YYY.YYY.YYY.YYY
Port 443
Cert "/etc/ssl/pound/server.pem "
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 1
Service
BackEnd
Address XXX.XXX.XXX.XXX
Port 443
HTTPS
End
End
I've been surfing the net for several hours with no solution, so I thought "maybe experts exchange can help"?
****** edit #1 a few hours later ******
I sniffed the traffic between the reverse proxy and the https-backend-server. I added a screen capture. It seems that the web server just does not answer, then pound runs into a timeout and closes the connection, but I'm not an expert. I've tried to put pound in front of several web servers, with the same effect. I assume that they dislike something in the "handshake-request-packet" , but I have no clue what, because I get no answers from the web servers. I haven't been able to find usable logs on the backend-server's side either yet. That's weird... Anybody has an idea why?
Btw I tried both with and without
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
That's why it does not appear in the data packet in the screenshot
Capture.JPG
Jun 8 11:11:39 transfer pound: BIO_do_handshake with XXX.XXX.XXX.XXX:443 failed: error:00000000:lib(0):func
openssl s_client -connect example.com:443 says "CONNECTION OK".
The used config part of Pound:
ListenHTTPS
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address YYY.YYY.YYY.YYY
Port 443
Cert "/etc/ssl/pound/server.pem
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 1
Service
BackEnd
Address XXX.XXX.XXX.XXX
Port 443
HTTPS
End
End
I've been surfing the net for several hours with no solution, so I thought "maybe experts exchange can help"?
****** edit #1 a few hours later ******
I sniffed the traffic between the reverse proxy and the https-backend-server. I added a screen capture. It seems that the web server just does not answer, then pound runs into a timeout and closes the connection, but I'm not an expert. I've tried to put pound in front of several web servers, with the same effect. I assume that they dislike something in the "handshake-request-packet"
Btw I tried both with and without
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
That's why it does not appear in the data packet in the screenshot
Capture.JPG
ASKER
Hi noci,
thanks. The backend servers are using self-signed certificates.
thanks. The backend servers are using self-signed certificates.
Regular HTTPS service only accept CA signed certificates. (not hard to do with tools like xca ( http://hohnstaedt.de/xca/ ) or windows management tools. Or if public DNS names are used letsencrypt certificates maintained by certbot. ( https://github.com/certbot/certbot https://letsencrypt.org/ )
Self signed sertificates often need confirmation before being accespted. (w.r.t. trust Self-signed is almost as bad as no certificate you might need settings to allow those).
Almost ALL server processes that handle certificates require that a trusted signer (CA) certificate exists in the trusted store.
Self signed sertificates often need confirmation before being accespted. (w.r.t. trust Self-signed is almost as bad as no certificate you might need settings to allow those).
Almost ALL server processes that handle certificates require that a trusted signer (CA) certificate exists in the trusted store.
ASKER
Hi Noci,
unfortunately, in front of a server with a valid certificate, I can observe the same behaviour :-(
unfortunately, in front of a server with a valid certificate, I can observe the same behaviour :-(
ASKER
I found following answer in the mailing list archive of Pound which says it should work the same with self-signed certificates.
http://www.apsis.ch/pound/pound_list/archive/2013/2013-09/1378236501000/index_html?fullMode=1
Re: [Pound Mailing List] Would pound fail to forward HTTPS request if backends have self-signed certificate only?
"D. R." <daveyx(at)gmx.de> 2013-09-03 22:34:49 [ SNIP ]
Hi Alex,
i can not confirm, i also use pound with self-signed certificates in
different development environments.
Kind regards
David
Am 03.09.2013 21:28, schrieb Alex Tsang:
> Hi. I have pound 2.6 and a SSL certificate installed which I bought from
Comodo.
> I configured pound to forward HTTPS requests to backend servers over HTTPS,
but
> those backend servers have self-signed certificate only.
>
> I found that when I visit the servers over HTTPS (through pound), it gives me
> e500 error. Is it caused by self-signed certificates on backend servers? When
> I use curl to visit those backend servers directly I need to add the -k
switch
> to avoid checking certificates. I tried to configure pound to forward HTTPS
to
> backend servers over HTTP and it worked well, but if my backend servers sit
in
> different networks this would be a problem as people may capture the traffic
> between pound and my backend servers.
>
> Many thanks.
>
> Alex
http://www.apsis.ch/pound/pound_list/archive/2013/2013-09/1378236501000/index_html?fullMode=1
Re: [Pound Mailing List] Would pound fail to forward HTTPS request if backends have self-signed certificate only?
"D. R." <daveyx(at)gmx.de> 2013-09-03 22:34:49 [ SNIP ]
Hi Alex,
i can not confirm, i also use pound with self-signed certificates in
different development environments.
Kind regards
David
Am 03.09.2013 21:28, schrieb Alex Tsang:
> Hi. I have pound 2.6 and a SSL certificate installed which I bought from
Comodo.
> I configured pound to forward HTTPS requests to backend servers over HTTPS,
but
> those backend servers have self-signed certificate only.
>
> I found that when I visit the servers over HTTPS (through pound), it gives me
> e500 error. Is it caused by self-signed certificates on backend servers? When
> I use curl to visit those backend servers directly I need to add the -k
switch
> to avoid checking certificates. I tried to configure pound to forward HTTPS
to
> backend servers over HTTP and it worked well, but if my backend servers sit
in
> different networks this would be a problem as people may capture the traffic
> between pound and my backend servers.
>
> Many thanks.
>
> Alex
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
ehm. unencrypted HTTPS packet???/