]project-open[ installations under Linux usually include Pound as a "reverse proxy" in order to allow multiple ]po[ instances to run on a single physical server.
This HowTo tutorial explains how to set up pound for production system with multiple servers (usually, there is one "projop" production server, a "stage" staging server and a "dev" development server) and how to configure HTTPS.
Pound is maintained by http://www.apsis.ch/pound . However, most Linux distributions include pound as a package ready for installation:
The following instructions refer to CentOS 6.4, but will probably also work on any other Linux system.
The Pound configuration file "pound.cfg" is usually located in the /etc/pound.cfg. Here is an example for Pound version 2.6:
# ***************************************************** # /etc/pound/pound.cfg # ***************************************************** User "pound" Group "pound" RootJail "/var/pound" LogLevel 2 ListenHTTP Address 0.0.0.0 Port 80 End # "Stage" is running on 8001 Service HeadRequire "Host:.*stage.*" BackEnd Address localhost Port 8001 TimeOut 600 End End # By default show the "projop" production server Service BackEnd Address 127.0.0.1 Port 8000 TimeOut 600 End End
Please note the "RootJail" line in the configuration above. This line tells the pound daemon process to change the root of its filesystem to /var/pound (instead of "/"). This way, the Pound process will not be able to access the rest of the system in case it should get hacked (which we haven't seen yet in more then 6 years working with Pound...).
Here is the structure of the the /var/pound directory:
# find /var/pound/ /var/pound/ /var/pound/etc /var/pound/etc/hosts /var/pound/etc/resolv.conf /var/pound/dev /var/pound/dev/random /var/pound/lib /var/pound/lib/libgcc_s.so.1
# mknod /var/pound/dev/random c 1 8
search localdomain nameserver <your_nameserver_ip_address>
Please make sure that the entire /var/pound/ tree is owned and writable by root only, but readable for user/group "pound".
Now you can start pound via /etc/init.d/pound start.
Pound writes error messages via SysLog to /var/log/messages normally even if it is running in a root jail. So please watch this file for any additional error messages.
The following steps will guide you through the generation of a self-signed certificate for your ]project-open[ server.
During the process you will create:
openssl genrsa -out server.key 1024
cp server.key server.key.org openssl rsa -in server.key.org -out server.key
openssl req -new -key server.key -out server.csrYou will have to provide certain information for your CSR. Here are some sample values for ]project-open[:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl x509 -in server.crt -text
Create a PEM file:
openssl x509 -in server.crt -out server.pem openssl rsa -in server.key >> server.pem mkdir /etc/pound cp server.pem /etc/pound/
ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/server.pem" End
The new configuration will be come active after restarting Pound (/etc/init.d/pound restart).
You can execute "netstat -nlp" to list all network connections. In the upper part your should see something like this:
... tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 24804/nsd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 375/pound ... tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 375/pound ...
Pound will write any errors into /var/log/messages.
If you implement HTTPS via Pound, ]project-open[ will need a special parameter in order to deal correctly with "redirects". This is necessary because ]project-open[ receives connections from Pound on a normal HTTP port, instead of HTTPS. So ]po[ will by default use the HTTP port when redirecting a user.
To deal with this issue, please go to Admin -> Parameters -> intranet-core and change the parameter UtilCurrentLocationRedirect to "https://your.server.com/".
After going through the steps above, your AOLserver still accepts unencrypted HTTP connections on port 8000 (default). To disable unencrypted connections please configure your computer's package filter ("firewall") to filter port 8000, or tell AOLserver to listen on a local connection only by modifying the configuration in ~/etc/config.tcl to: 'set address "127.0.0.1"'.
Calle Aprestadora 19, 12o-2a
08902 Hospitalet de Llobregat (Barcelona)
Spain
Tel Europe: +34 609 953 751
Tel US: +1 415 200 2465
Mail: info@project-open.com