HTTPS proxy for Merecat httpd
This is a HTTPS proxy HowTo for Merecat httpd using pound and OpenSSL.
Pound is a reverse proxy, load balancer, and HTTPS front-end for Web servers. It is available in Debian/Ubuntu and is very simple to set up:
First install the package, including OpenSSL, or LibreSSL:
sudo apt install pound openssl
Use OpenSSL to create a self-signed certificate:
mkdir ~/certs
cd ~/certs
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
cat cert.pem key.pem > bundle.pem
Now, we move to the Merecat directory from the previous blog post and start it on port 8080:
cd ~/merecat
./src/merecat -p 8080 www/
Now, edit the default /etc/pound/pound.cfg
to include the following:
ListenHTTPS
Address 0.0.0.0
Port 443
AddHeader "X-Forwarded-Proto: https"
AddHeader "X-Forwarded-Port: 80"
HeadRemove "X-Forwarded-Proto"
HeadRemove "X-Forwarded-For"
Cert "/home/jocke/certs/bundle.pem"
# This is the address and TCP port where Merecat httpd runs
Service
BackEnd
Address 127.0.0.1
Port 8080
End
End
End
We make sure to remove any existing X-Forwarded-For
header to prevent
any malicious client from injecting them beforehand. Then enable pound
by editing /etc/default/pound
startup=1
And start the service
sudo /etc/init.d/pound restart
Your service is now available over HTTPS. Try it with curl, which needs
to be called with -k
to skip certificate validation:
curl -ki https://localhost/~jocke/
HTTP/1.0 200 OK
testing stderr
Content-Type: text/html;charset=utf-8
<html>
<head><title>Hej</title></head>
<body>
<p>Hello, HTTP SPOKEN HERE</p>
</body></html>
All done. Good Luck!