Installing an Origin CA cert in Pound
Recently I was approached by one of the Cloudflare channel team as they advised all customers about Google's announcement about distrusting SSL certificates from two certificate authorities ("CAs"): WoSign and StartCom. Google's announcement joins Mozilla and Apple and now represents the majority of human-driven browsers.
As I was using a StartCom free SSL certificate, it was in my best interests to migrate off and find a more reputable CA. I needed to replace my certificate in two locations to ensure I could enable 'Full SSL (Strict)' and protect not only my edge at the CDN but also my Origin.
Looking to see whether Cloudflare had documented Pound as an SSL termination point, I saw a gap that this blog post aims to fill.
1. Obtain private key and origin certificate pair
After completing the steps to generate the private key and origin certificate, download both the private key and origin certificate in .pem format. Concatenate the private key, any CA certificates and the site certificate into a single .pem file.
2. Copy the combined pem file to your origin server
Copy the concatenated file and move it to the directory on your server where you will keep your key and certificate files. Typically this is in /etc/ssl/certs.
3. Locate your pound config file
Pound’s main configuration file is typically named pound.cfg. Possible locations for this file might be /etc/pound.cfg or /usr/local/etc/pound.cfg depending on the operating system in use.
4. The default pound.cfg file can be amended to direct traffic to specified sites
You will need to create a Service definition with, at minimum, Backend and Port parameters. This allows Pound to direct traffic to a backend once it has received traffic. Optionally HeadRequire can be used within multiple Service listeners to separate traffic based on request parameters.
# Global options:
User "apache"
Group "apache"
LogLevel 3
# Check backend every 20 secs:
Alive 20
# poundctl control socket
Control "/var/run/poundctl.socket"
# Backend service for any domains matching *.adammalone.net
Service
HeadRequire "Host:.*adammalone.net.*"
Backend
Address 127.0.0.1
Port 80
End
End
5. Add a ListenHTTPS block for SSL
Below is a simple example of Pound configured to use SSL. The entire ListenHTTPS block must be appended to the pound.cfg file to allow SSL. Optional parameters for adding headers and specifying ciphers further secure the application behind.
# SSL Termination
ListenHTTPS
Address 0.0.0.0
Port 443
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Cert "/etc/ssl/certs/cloudflare.pem"
Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
End
Ensure the Cert parameter matches the location of your combined pem file moved during step 2.
6. Test your Pound configuration before restarting
Best practice is to check your configuration files before restarting Pound as Poundwill not start if there are errors in the configuration. The following command will test your configuration files.
$ pound -c starting... Config file /etc/pound.cfg is OK
7. Restart Pound
$ /etc/init.d/pound start