,
In the previous chapter we have described basic proxying techniques using plain HTTP listener as an example. Now we will discuss how to use HTTPS both for listeners and backends.
To accept HTTPS requests you need to declare ListenerHTTPS
listener. It is similar to plain ListenerHTTP described above,
except that it requires a certificate to be declared. For
example:
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/priv/example.pem"
Disable TLSv1
Ciphers "HIGH:@STRENGTH:!RSA"
End
The Cert statement supplies the name of the certificate file
in PEM format. The file must contain the certificate, intermediate
certificates (if necessary), and certificate private key, in that
order.
The Cert argument can also specify a directory, in which case
pound will scan that directory, trying to read the certificate
from each regular file encountered. It will report an error if unable
to load the file, so this directory should contain only certificate
files. The order in which certificate files are read is not
specified.
Multiple Cert statements are allowed. When trying to find the
matching certificate, pound will stop at the first one whose
CN matches the requested host name. Thus, the ordering of
Cert statements is important. Normally they should be placed
in most-specific to least-specific order, with wildcard certificates
appearing after host-specific ones.
Cert directives must precede all other SSL-specific directives.
Another important directive is Disable. It disables the use
of the specified TLS protocol as well as all protocols older than it.
Usually it is used to disable obsolete protocols. For example,
the Disable statement in the example above disables ‘TLSv1’,
‘SSLv3’, and ‘SSLv2’.
To further tune the strength of your encryption use the Ciphers
directive. Its argument is a colon-delimited list of OpenSSL ciphers,
as described in See (ciphers(1))ciphers. The cipher selection
shown in the example above provides for excellent encryption strength.
,