How to Make Pound And SSL Play Nice With OS X

Though building sites with ssl is cool and gives your users a sense of security, configuring a webserver with ssl can be a royal pain. Thankfully, there’s pound. Pound is a “is a reverse proxy, load balancer and HTTPS front-end for Web server(s).”

Pound is dead simple to setup and configure. Unfortunately, the darwin port for pound is old and does not work. So this guide will help you build pound on your own. Besides, everyone feels cooler after compiling that hot fire. Click on for the steps.

  1. Open terminal.
  2. Install zlib
  3. mkdir ~/temp
    curl -O http://www.zlib.net/zlib-1.2.3.tar.gz
    tar xzvf zlib-1.2.3.tar.gz
    cd zlib-1.2.3
    ./configure --prefix=/usr/local --shared
    make
    sudo make install
    
  4. Install openssl
  5. curl -O http://www.openssl.org/source/openssl-0.9.8b.tar.gz
    tar xzvf openssl-0.9.8b.tar.gz
    cd openssl-0.9.8b
    ./config -L/usr/local/lib --openssldir=/usr/local/etc/openssl \\
        zlib no-asm no-krb5 shared
    make
    sudo make install
    
  6. Install Pound 2.0 or greater
  7. curl -O http://www.apsis.ch/pound/Pound-2.0.tgz
    tar xzvf Pound-2.0.tgz
    cd Pound-2.0
    sed "s/-o bin -g bin //g" < Makefile.in > Makefile.in.new
    mv Makefile.in.new Makefile.in  # Hit y to override any restrictions
    ./configure --with-ssl=/usr/local/etc/openssl/ --prefix=/usr/local
    make
    sudo make install
    
  8. Generate an ssl certificate.
  9. cd /usr/local/etc
    

    You can put the next line in ~/.bash_profile if you want openssl available everytime you open the terminal.

    export PATH="/usr/local/etc/openssl/bin:$PATH"
    sudo openssl/bin/openssl req -x509 -newkey rsa:1024 -keyout our_cert.pem \\
        -out our_cert.pem -days 365 -nodes
    

    Fill out the required information to generate the ssl certificate.

  10. Create a pound.cfg file.
  11. cd /usr/local/etc # You should already be here
    

    This next piece uses a trick called a heredoc. Instead of copying and pasting the below command into terminal, you could also just copy and paste the text into pound.cfg in /usr/local/etc/pound.cfg

    cat > ~/tmp_file <<EOF
    ListenHTTP
      Address 0.0.0.0
      Port    80
      Service
        BackEnd
          Address 127.0.0.1
          Port    3000
        End
      End
    End
    
    ListenHTTPS
      Address 0.0.0.0
      Port    443
      Cert    "/usr/local/etc/our_cert.pem"
      # pass along https hint
      AddHeader "X-Forwarded-Proto: https"
      HeadRemove "X-Forwarded-Proto"
      Service
        BackEnd
          Address 127.0.0.1
          Port    3000
        End
      End
    End
    EOF
    sudo mv ~/tmp_file ./pound.cfg
    
  12. Make sure that pound works.
  13. pound -v -c
    

    You should see Config file /usr/local/etc/pound.cfg is OK.
    If not, make sure that you copied your config file correctly
    using ‘cat pound.cfg’ to view what is in the file.

  14. Turn off apache (assuming it’s running).
  15. sudo apachectl stop
  16. Turn on pound.
  17. sudo pound -v
  18. Start mongrel/webrick/lighty.
  19. cd ~/work/my_killer_app
    mongrel_rails start # Or ruby script/server (if you're still on lighty/webrick)
    
  20. Marvel at your wonderous creation by pointing your browser to http://localhost/ or https://localhost/

TODO (feel free to do these and post how to do them in the comments):

  • Make pound start when the computer loads.
  • Use darwin ports to install zlib and openssl, but not pound.

5 Comments »

  1. Serving Rails with lighttpd, pound and mongrel said,

    July 8, 2006 @ 2:36 pm

    [...] First time round I thought I’d be cool and install Pound 2.0.3. Don’t do this, it seems a bit broken. I followed this: How to Make Pound And SSL Play Nice With OS X (watch out for a few typos if you’re cuttin’n'pasting commands) [...]

  2. Administrator said,

    July 9, 2006 @ 8:44 pm

    Made a few fixes thanks to Matt Pelletier (bricologe in irc). Should be a little better for copying and pasting commands now.

  3. Part3. Lighttpd, Pound and Mongrel with Rails said,

    August 10, 2006 @ 6:27 am

    [...] Follow the instructions here, make sure zLib and openSSL are installed first, then install Pound. If (during build/compiling) you experience errors (as I did) relating to libssl and/or libcrypto libraries not being present – then you will also need to install libssl-dev. Then try making and installing zLib/openSSL again. On Debian this would be; [...]

  4. gbalaji said,

    November 6, 2006 @ 2:31 am

    i get the following error when i start the pound,

    HTTP socket bind 0.0.0.0:80: Permission denied – aborted

  5. Ben said,

    January 18, 2007 @ 12:48 pm

    I tried this using Pound-2.2.2 on OS X 10.4.8. The command line for ‘make install’ looks for a -D flag, which my version in /usr/bin/install does not have. My version of install on Linux does have it. Anyway, I just copied the pound and poundctl binaries manually and things all seem ok.

RSS feed for comments on this post · TrackBack URI

Leave a Comment