pound: multiple domains

Question

I've been using pound to run mydomain.dk. Now I've bought some other domains and SSL certificates that are mydomain.no, mydomain.se and mydomain.eu. My old config looked roughly like this:

ListenHTTPS
        Address 81.19.246.120
        Port    443
        Cert    "/usr/local/etc/pound.keys/mydomain.dk.pem"

        Service
                BackEnd
                Address 10.0.10.10
                Port    8080
                End
        End
End

At places like here I've seen that I can use HeadRequire in the Service part, but I want the Host header to go together with the Cert, ideally something like

ListenHTTPS
        Address 81.19.246.120
        Port    443
        HostAndCert    "mydomain.dk" "/usr/local/etc/pound.keys/mydomain.dk.pem"
        HostAndCert    "mydomain.se" "/usr/local/etc/pound.keys/mydomain.se.pem"
        HostAndCert    "mydomain.no" "/usr/local/etc/pound.keys/mydomain.no.pem"
        HostAndCert    "mydomain.eu" "/usr/local/etc/pound.keys/mydomain.eu.pem"

        Service
                BackEnd
                Address 10.0.10.10
                Port    8080
                End
        End
End

Any suggestions or clues to how I can accomplish this?

Cheers

Nik

EDIT: Yup, at http://www.apsis.ch/pound/ I see that it can't be done, one IP pr SSL domain is required. Are there good alternatives when I can't use wildcard SSLs that say mydomain.* ?

Answer 1

There is a new feature of TLS to solve this problem: Server Name Indication. It's not widely supported yet.

Answer 2

This seems like a post on a very old story, but I may bring some elements of solution here:

I have read at pound official website on their 'update June 2010' that pound is able to proceed to openssl SNI (Server Name Indication) which makes it possible to build a https reverse proxy.

Furthermore, in the pound mailing-list (in which I have been totally unable to register :O) I have read that someone accomplished this success SNI with pound. I am on Linux and my browser is sni capable as reported by this check.

However, it seems that only the first certificate specified in pound configuration file is taken in account. In fact, I have exactly the same problem as reported here: The first certificate is shown to the client, if it is related to the domain name, this is fine, else, no more certificate is tried and a warning is shown on the client browser.

My configuration is like this:

ListenHTTPS
  Address 172.23.1.2
  Port  443
  Cert "/etc/pound/ssl/wiki.pem"
  Cert "/etc/pound/ssl/frontend.pem"

  Service
      HeadRequire "Host: .*wiki.mydomain.net.*"
      BackEnd
          Address 192.168.0.110
          Port 8080 
      End
  End
  Service
      HeadRequire "Host: .*mydomain.net.*"
      Backend
          Address 192.168.0.103
          Port 8080
      End
  End
End

Does anyone knows how to force each certificate to be checked until a appropriate one is getting found?

Answer 3

I am sorry to say that as far as I am aware you can only have .mydomain.com you cannot have mydomain.

There is no alternative I know of, you must have one IP address for one SSL.

Answer 4

Until Server Name Indication is supported, your best option is to get a Unified Communications Certificate that includes all the names that you need to secure in one cert.

Answer 5

Thanks a lot for your answer,

Such a feature does exist regarding wikipedia_SNI.

Unfortunately, all browser and OS does not support this, but as I wrote, I am running on an OS and browser which do allow this. Roughly speaking, you must be running on a browser which include a openssl library allowing this feature (vista or more recent) or a browser implementing it (Firefox > 3 for instance).

And the examples I shown seem to prove that such a think is possible with pound. This is what we would like to realize.