Add SSL Support to Pound Proxy
This is a super quick guide to add certificate files to a Pound proxy, very useful when using it in environments with Varnish servers. This configuration was tested on Ubuntu 14.04 and Ubuntu 16.04
Follow the next steps that I took as sample from this site to configure Pound with a self-signed certificate, make sure to run all commands as root:
$ sudo su
Pound HTTPS Configuration
The following steps will guide you through the generation of a self-signed certificate for your test project server.
During the process you will create:
- server.key: This is a 1024 bit random string ("private key") that uniquely identifies your server.
- server.csr: This is a "Certificate Signing Request" file. You can send this to a Certificate Authorities (CA), or sign it yourself.
- server.crt: This is a "certificate" that certifies that server.key belongs to you.
- server.pem: This is the file that Pound needs to work correctly. A PEM file is a bundle of a the "server.key" private key and a certificate.
1.- Generate an RSA private key for the server:
# openssl genrsa -out server.key 1024
2.- Remove the passphrase from the key. Please make sure that nobody will have access to this file except for you. Otherwise the security of your server is at risk:
# cp server.key server.key.org # openssl rsa -in server.key.org -out server.key
3.- Create the Certificate Signing Request file, or CSR:
# openssl req -new -key server.key -out server.csr
You will have to provide certain information for your CSR. Here are some sample values for your test project, replace accordingly and you can leave the challenge password field empty if you don't want a password for your certificates:
- Country Name (2 letter code) [GB]: ES - State or Province Name (full name) [Berkshire]: Catalonia - Locality Name (eg, city) [Newbury]: Barcelona - Organization Name (eg, company) [My Company Ltd]: Project Open Business Solutions S.L. - Organizational Unit Name (eg, section) : - Common Name (eg, your name or your server's hostname) : www.project-open.org - Email Address : firstname.lastname@example.org - A challenge password : - An optional company name :
4.- Now you could go to some Certificate Authority in the Web (for example: http://www.instantssl.com/ currently offers free certificates for 90 days) and sign your key there. As a result, you will receive a "certificate" file that you can save as "server.crt".
5.- As an alternative you can sign the key yourself. The server.crt certificate will be technically valid. However, your browser will show a security warning if it encounters such a self-signed certificate:
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
6.- Verify your certificate. The following command should output some data, and not an error message:
# openssl x509 -in server.crt -text
7.- Create a PEM file:
# openssl x509 -in server.crt -out server.pem # openssl rsa -in server.key >> server.pem # mkdir -p /etc/ssl/pound # cp server.pem /etc/ssl/pound/
8.- Now you can add a HTTPS listener configuration to your pound.cfg configuration file:
ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/ssl/pound/server.pem" End
The new configuration will be come active after restarting Pound (/etc/init.d/pound restart).
If you want to go pro and get real secure SSL support I suggest this tutorial where it explains how to use Let's Encrypt SSL or, of course you can always buy real certificates and replace them into the above configuration.
Hope it helps!