In the previous chapter we have described basic proxying techniques using plain HTTP listener as an example. Now we will discuss how to use HTTPS both for listeners and backends.
To accept HTTPS requests you need to declare ListenerHTTPS
listener. It is similar to plain ListenerHTTP
described above,
except that it requires a certificate to be declared. For
example:
ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/ssl/priv/example.pem" Disable TLSv1 Ciphers "HIGH:@STRENGTH:!RSA" End
The Cert
statement supplies the name of the certificate file
in PEM format. The file must contain the certificate, intermediate
certificates (if necessary), and certificate private key, in that
order.
The Cert
argument can also specify a directory, in which case
pound
will scan that directory, trying to read the certificate
from each regular file encountered. It will report an error if unable
to load the file, so this directory should contain only certificate
files. The order in which certificate files are read is not
specified.
Multiple Cert
statements are allowed. When trying to find the
matching certificate, pound
will stop at the first one whose
CN
matches the requested host name. Thus, the ordering of
Cert
statements is important. Normally they should be placed
in most-specific to least-specific order, with wildcard certificates
appearing after host-specific ones.
Cert
directives must precede all other SSL-specific directives.
Another important directive is Disable
. It disables the use
of the specified TLS protocol as well as all protocols older than it.
Usually it is used to disable obsolete protocols. For example,
the Disable
statement in the example above disables ‘TLSv1’,
‘SSLv3’, and ‘SSLv2’.
To further tune the strength of your encryption use the Ciphers
directive. Its argument is a colon-delimited list of OpenSSL ciphers,
as described in See (ciphers(1))ciphers. The cipher selection
shown in the example above provides for excellent encryption strength.