Pound is a very lightweight reverse-proxy software, which can also act as a SSL endpoint. Means that it will accept the encrypted (HTTPS) traffic, decrypt it, and then forward the result to the webserver at the backend. It's quite helpful to offload this from the webserver.
Here's how to do both (auto-renew Let's Encrypt SSL certificate on Pound), starting from a configuration snippet for /etc/pound/pound.cfg :
=========
ListenHTTPS
Address 0.0.0.0
Port 443
AddHeader ""X-Forwarded-Proto: https""
HeadRemove ""X-Forwarded-Proto""
HeadRemove ""X-Forwarded-For""
Cert "/etc/letsencrypt/live/mywebsite.com/mywebsite.pem"
### avoid poodle security attack
Disable SSLv3
Disable SSLv2
### hardening SSL with strong ciphers, disabling weak ones
Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"
SSLAllowClientRenegotiation 0
SSLHonorCipherOrder 1
End
========
That config should be able to score (at least an) A from Qualys SSL Labs' website : https://www.ssllabs.com/ssltest/
Here's the script to do the auto-renewal, don't forget to set the cronjob so this is run twice every day on off-peak times :
=========
#!/bin/bash
# renew certificate
/root/tools/certbot/certbot-auto renew
# merge private key with certificate
# to make it readable by Pound
cp /etc/letsencrypt/live/mywebsite.com/privkey.pem /etc/letsencrypt/live/mywebsite.com/mywebsite.pem
cat /etc/letsencrypt/live/mywebsite.com/cert.pem >> /etc/letsencrypt/live/mywebsite.com/mywebsite.pem
# restart Pound
/etc/init.d/pound restart
=========
Have fun with these !
Credits:
(1) Eko Juniarto for suggesting to restart Pound after the renewal process.
(2) Fahri Reza for informing that Let's Encrypt advocates running auto-renewal not once – but twice a day. Eg: in case of an emergency, etc
Post imported by Google+Blog for WordPress.
Mas Harry, i've made a simple bash script to renew letsencrypt ssl without using pound.
Please take a look my github. It still needs improvement.
In my case, my client uses Pound 🙂 so I need to factor that :)… thanks
Excellent information. SSl is ranking factor. good work..
thank you for the information is be very useful.
Come join us and get the big prize that awaits you, do not miss a great bonus that awaits you only in daftarbet303.com
Websitemu keren bro. Cek juga web Rendang Tambuah Ciek kami ya http://tambuahciek.com
It?¦s really a great and useful piece of info. I am satisfied that you simply shared this useful info with us. Please keep us up to date like this. Thank you for sharing.
Hi! Guys, I’ve been checking essay writing assistance opportunities and finally found one of the edubirdie reviews reddit. It looks trustworthy to me, and I’m going to cooperate with their experts soon. Is there anything else I should know or consider before placing my order? Thanks for your answers! https://www.reddit.com/r/TopEssayServices/comments/pnz18g/edubirdie_review_my_personal_experience/