]project-open[ : @This Wiki
Portrait

Welcome, Unregistered Visitor

Contact ·  Index · Login · Register
 

Contents

Remote Training
Support
SaaS Service

7 registered users
 in last 24 hours

Pound Root Jail & HTTPS Configuration

]project-open[ installations under Linux usually include Pound  as a "reverse proxy" in order to allow multiple ]po[ instances to run on a single physical server.

This HowTo tutorial explains how to set up pound for production system with multiple servers (usually, there is one "projop" production server, a "stage" staging server and a "dev" development server) and how to configure HTTPS.

Getting Pound

Pound is maintained by http://www.apsis.ch/pound . However, most Linux distributions include pound as a package ready for installation:

  • CentOS 6: You need to add the "EPEL" repository to YUM in order to be able to perform a yum install Pound (please note the capital "P").
  • Ubuntu: Pound is available as a normal package
  • Debian: Pound is available as a normal package

 The following instructions refer to CentOS 6.4, but will probably also work on any other Linux system.


Pound Configuration

The Pound configuration file "pound.cfg" is usually located in the /etc/pound.cfg. Here is an example for Pound version 2.6:

# *****************************************************
# /etc/pound/pound.cfg
# *****************************************************

User            "pound"
Group           "pound"
RootJail        "/var/pound"
LogLevel        2

ListenHTTP
        Address 0.0.0.0
        Port    80
End

# "Stage" is running on 8001
Service
        HeadRequire "Host:.*stage.*"
        BackEnd
                Address localhost
                Port    8001
                TimeOut 600
        End
End

# By default show the "projop" production server
Service
        BackEnd
                Address 127.0.0.1
                Port    8000
                TimeOut 600
        End
End­

"Chroot" Root Jail Configuration

Please note the "RootJail" line in the configuration above. This line tells the pound daemon process to change the root of its filesystem to /var/pound (instead of "/"). This way, the Pound process will not be able to access the rest of the system in case it should get hacked (which we haven't seen yet in more then 6 years working with Pound...).

Here is the structure of the the /var/pound directory:

# find /var/pound/
/var/pound/
/var/pound/etc
/var/pound/etc/hosts
/var/pound/etc/resolv.conf
/var/pound/dev
/var/pound/dev/random
/var/pound/lib
/var/pound/lib/libgcc_s.so.1
  • ­/var/pound/dev/random:
    Pound needs this "device" in order to create random numbers. To create the "device" please enter (as root):
    # mknod /var/pound/dev/random c 1 8
    
  • /var/pound/etc/resolv.conf:
    Pound needs the IP address(!) of the nameserver for logging etc. The file contains the following two lines:
    search localdomain
    nameserver <your_nameserver_ip_address>
  • /var/pound/lib/libgcc_s.so.1:
    This is a copy (not a symbolic link!) of the system library with the same name found in /lib/ or /lib64/.

Please make sure that the entire /var/pound/ tree is owned and writable by root only, but readable for user/group "pound".

Now you can start pound via /etc/init.d/pound start.

Pound writes error messages via SysLog to /var/log/messages normally even if it is running in a root jail. So please watch this file for any additional error messages.


Pound HTTPS Configuration

The following steps will guide you through the generation of a self-signed certificate for your ]project-open[ server.

During the process you will create:

  • server.key: This is a 1024 bit random string ("private key") that uniquely identifies your server
  • server.csr: This is a "Certificate Signing Request" file. You can send this to a Certificate Authorities (CA), or sign it yourself.
  • server.crt: This is a "certificate" that certifies that server.key belongs to you.
  • server.pem: This is the file that Pound needs to work correctly. A PEM file is a bundle of a the "server.key" priviate key and a certificate.
  1. Generate an RSA private key for the server:
    openssl genrsa -out server.key 1024

  2. Remove the passphrase from the key. Please make sure that nobody will have access to this file except for you. Otherwise the security of your server is at risk:
    cp server.key server.key.org
    openssl rsa -in server.key.org -out server.key
    

  3. Create the Certificate Signing Request file, or CSR:
    openssl req -new -key server.key -out server.csr
    You will have to provide certain information for your CSR. Here are some sample values for ]project-open[:

    Country Name (2 letter code) [GB]: ES
    State or Province Name (full name) [Berkshire]: Catalonia
    Locality Name (eg, city) [Newbury]: Barcelona
    Organization Name (eg, company) [My Company Ltd]: Project Open Business Solutions S.L.
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []: www.project-open.org
    Email Address []:webmaster@project-open.com
    A challenge password []:
    An optional company name []:

  4. Now you could go to some Certificate Authority in the Web (for example: http://www.instantssl.com/ currently offers free certificates for 90 days) and sign your key there. As a result, you will receive a "certificate" file that you can save as "server.crt".

  5. As an alternative you can sign the key yourself.
    The server.crt certificate will be technically valid. However, your browser will show a security warning if it encounters such a self-signed certificate:
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

  6. Verify your certificat. The following command should output some data, and not an error message:
    openssl x509 -in server.crt -text

  7. Create a PEM file:
    openssl x509 -in server.crt -out server.pem
    openssl rsa -in server.key >> server.pem
    mkdir /etc/pound
    cp server.pem /etc/pound/
    

  8. Now you can add a HTTPS listener configuration to your pound.cfg configuration file:
    ListenHTTPS
      Address 0.0.0.0
      Port    443
      Cert    "/etc/pound/server.pem"
    End
    


The new configuration will be come active after restarting Pound (/etc/init.d/pound restart).

You can execute "netstat -nlp" to list all network connections. In the upper part your should see something like this:

...
tcp        0      0 0.0.0.0:8000                0.0.0.0:*                   LISTEN      24804/nsd
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      375/pound
...
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      375/pound
...­
  • ­ 0.0.0.0:8000: This is the AOLserver itself
  • 0.0.0.0:80: This is Pound listening for unincrypted HTTP connections
  • 0.0.0.0.443: This is the Pound HTTPS listener.

Pound will write any errors into /var/log/messages.

Configuring ]project-open[ for Pound HTTPS

If you implement HTTPS via Pound, ]project-open[ will need a special parameter in order to deal correctly with "redirects". This is necessary because ]project-open[ receives connections from Pound on a normal HTTP port, instead of HTTPS. So ]po[ will by default use the HTTP port when redirecting a user.

To deal with this issue, please go to Admin -> Parameters -> intranet-core and change the parameter UtilCurrentLocationRedirect to "https://your.server.com/".

Disable Unencrypted Connections

After going through the steps above, your AOLserver still accepts unencrypted HTTP connections on port 8000 (default). To disable unencrypted connections please configure your computer's package filter ("firewall") to filter port 8000, or tell AOLserver to listen on a local connection only by modifying the configuration in ~/etc/config.tcl to: 'set address "127.0.0.1"'.


Please take a moment to complete this form to help us improve our service.

Note:
Please only provide feedback in regards to content this page shows. For support inquiries please refer either to the Community Support forum at Sourceforge or check out our 'Professional Support'

Did this page help you to achieve your goal?

 Yes  No  Don't know

Please provide us with comments to improve this page:

How useful is the information?

 1  2  3  4  5
Not
useful
      Extremely
useful
 
  

Explore

Installers
Demo Server
Modules & Functionality
Packages
Business Processes supported
FAQ's

Help

Getting started
User Manuals
Configuration Manuals
Community Support
Professional Support

News

News
Twitter
RSS Community / Sourceforge
Register for Newsletter

Get in touch

Contact
Register



Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic License - Privacy Policy