How to Make Pound And SSL Play Nice With OS X

June 9, 2006 at 5:23 pm · Filed under All, OS X, Programming, Rails, SysAdmin, Utilities

Though building sites with ssl is cool and gives your users a sense of security, configuring a webserver with ssl can be a royal pain. Thankfully, there’s pound. Pound is a “is a reverse proxy, load balancer and HTTPS front-end for Web server(s).”

Pound is dead simple to setup and configure. Unfortunately, the darwin port for pound is old and does not work. So this guide will help you build pound on your own. Besides, everyone feels cooler after compiling that hot fire. Click on for the steps.

  1. Open terminal.
  2. Install zlib
    3. mkdir ~/temp
curl -O http://www.zlib.net/zlib-1.2.3.tar.gz
tar xzvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure --prefix=/usr/local --shared
make
sudo make install
  3. Install openssl
    4. curl -O http://www.openssl.org/source/openssl-0.9.8b.tar.gz
tar xzvf openssl-0.9.8b.tar.gz
cd openssl-0.9.8b
./config -L/usr/local/lib --openssldir=/usr/local/etc/openssl \\
    zlib no-asm no-krb5 shared
make
sudo make install
  4. Install Pound 2.0 or greater
    5. curl -O http://www.apsis.ch/pound/Pound-2.0.tgz
tar xzvf Pound-2.0.tgz
cd Pound-2.0
sed "s/-o bin -g bin //g" < Makefile.in > Makefile.in.new
mv Makefile.in.new Makefile.in  # Hit y to override any restrictions
./configure --with-ssl=/usr/local/etc/openssl/ --prefix=/usr/local
make
sudo make install
  5. Generate an ssl certificate.
    6. cd /usr/local/etc

    You can put the next line in ~/.bash_profile if you want openssl available everytime you open the terminal.

    export PATH="/usr/local/etc/openssl/bin:$PATH"
sudo openssl/bin/openssl req -x509 -newkey rsa:1024 -keyout our_cert.pem \\
    -out our_cert.pem -days 365 -nodes

    Fill out the required information to generate the ssl certificate.

  6. Create a pound.cfg file.
    7. cd /usr/local/etc # You should already be here

    This next piece uses a trick called a heredoc. Instead of copying and pasting the below command into terminal, you could also just copy and paste the text into pound.cfg in /usr/local/etc/pound.cfg

    cat > ~/tmp_file <<EOF
ListenHTTP
  Address 0.0.0.0
  Port    80
  Service
    BackEnd
      Address 127.0.0.1
      Port    3000
    End
  End
End

ListenHTTPS
  Address 0.0.0.0
  Port    443
  Cert    "/usr/local/etc/our_cert.pem"
  # pass along https hint
  AddHeader "X-Forwarded-Proto: https"
  HeadRemove "X-Forwarded-Proto"
  Service
    BackEnd
      Address 127.0.0.1
      Port    3000
    End
  End
End
EOF
sudo mv ~/tmp_file ./pound.cfg
  7. Make sure that pound works.
    8. pound -v -c

    You should see Config file /usr/local/etc/pound.cfg is OK.
    If not, make sure that you copied your config file correctly
    using ‘cat pound.cfg’ to view what is in the file.

  8. Turn off apache (assuming it’s running).
    9. sudo apachectl stop
  9. Turn on pound.
    10. sudo pound -v
  10. Start mongrel/webrick/lighty.
    11. cd ~/work/my_killer_app
mongrel_rails start # Or ruby script/server (if you're still on lighty/webrick)
  11. Marvel at your wonderous creation by pointing your browser to http://localhost/ or https://localhost/

TODO (feel free to do these and post how to do them in the comments):

  • Make pound start when the computer loads.
  • Use darwin ports to install zlib and openssl, but not pound.

5 Comments »

  1. Serving Rails with lighttpd, pound and mongrel said,

    July 8, 2006 @ 2:36 pm

    [...] First time round I thought I’d be cool and install Pound 2.0.3. Don’t do this, it seems a bit broken. I followed this: How to Make Pound And SSL Play Nice With OS X (watch out for a few typos if you’re cuttin’n'pasting commands) [...]

  2. Administrator said,

    July 9, 2006 @ 8:44 pm

    Made a few fixes thanks to Matt Pelletier (bricologe in irc). Should be a little better for copying and pasting commands now.

  3. Part3. Lighttpd, Pound and Mongrel with Rails said,

    August 10, 2006 @ 6:27 am

    [...] Follow the instructions here, make sure zLib and openSSL are installed first, then install Pound. If (during build/compiling) you experience errors (as I did) relating to libssl and/or libcrypto libraries not being present – then you will also need to install libssl-dev. Then try making and installing zLib/openSSL again. On Debian this would be; [...]

  4. gbalaji said,

    November 6, 2006 @ 2:31 am

    i get the following error when i start the pound,

    HTTP socket bind 0.0.0.0:80: Permission denied – aborted

  5. Ben said,

    January 18, 2007 @ 12:48 pm

    I tried this using Pound-2.2.2 on OS X 10.4.8. The command line for ‘make install’ looks for a -D flag, which my version in /usr/bin/install does not have. My version of install on Linux does have it. Anyway, I just copied the pound and poundctl binaries manually and things all seem ok.

RSS feed for comments on this post · TrackBack URI

Leave a Comment