Pound is a very lightweight reverse-proxy software, which can also act as a SSL endpoint. Means that it will accept the encrypted (HTTPS) traffic, decrypt it, and then forward the result to the webserver at the backend. It's quite helpful to offload this from the webserver.
Here's how to do both (auto-renew Let's Encrypt SSL certificate on Pound), starting from a configuration snippet for /etc/pound/pound.cfg :
AddHeader ""X-Forwarded-Proto: https""
### avoid poodle security attack
### hardening SSL with strong ciphers, disabling weak ones
That config should be able to score (at least an) A from Qualys SSL Labs' website : https://www.ssllabs.com/ssltest/
Here's the script to do the auto-renewal, don't forget to set the cronjob so this is run twice every day on off-peak times :
# renew certificate
# merge private key with certificate
# to make it readable by Pound
# restart Pound
Have fun with these !
(1) Eko Juniarto for suggesting to restart Pound after the renewal process.
(2) Fahri Reza for informing that Let's Encrypt advocates running auto-renewal not once – but twice a day. Eg: in case of an emergency, etc
Post imported by Google+Blog for WordPress.