Prev: Next: Up: Top[Contents][Index]


5 HTTPS

In the previous chapter we have described basic proxying techniques using plain HTTP listener as an example. Now we will discuss how to use HTTPS both for listeners and backends.

To accept HTTPS requests you need to declare ListenerHTTPS listener. It is similar to plain ListenerHTTP described above, except that it requires a certificate to be declared. For example:

ListenHTTPS
    Address 0.0.0.0
    Port 443
    Cert "/etc/ssl/priv/example.pem"
    Disable TLSv1
    Ciphers "HIGH:@STRENGTH:!RSA"
End

The Cert statement supplies the name of the certificate file in PEM format. The file must contain the certificate, intermediate certificates (if necessary), and certificate private key, in that order.

The Cert argument can also specify a directory, in which case pound will scan that directory, trying to read the certificate from each regular file encountered. It will report an error if unable to load the file, so this directory should contain only certificate files. The order in which certificate files are read is not specified.

Multiple Cert statements are allowed. When trying to find the matching certificate, pound will stop at the first one whose CN matches the requested host name. Thus, the ordering of Cert statements is important. Normally they should be placed in most-specific to least-specific order, with wildcard certificates appearing after host-specific ones.

Cert directives must precede all other SSL-specific directives.

Another important directive is Disable. It disables the use of the specified TLS protocol as well as all protocols older than it. Usually it is used to disable obsolete protocols. For example, the Disable statement in the example above disables ‘TLSv1’, ‘SSLv3’, and ‘SSLv2’.

To further tune the strength of your encryption use the Ciphers directive. Its argument is a colon-delimited list of OpenSSL ciphers, as described in See (ciphers(1))ciphers. The cipher selection shown in the example above provides for excellent encryption strength.


Prev: Next: Up: Top[Contents][Index]