Though building sites with ssl is cool and gives your users a sense of security, configuring a webserver with ssl can be a royal pain. Thankfully, there’s pound. Pound is a “is a reverse proxy, load balancer and HTTPS front-end for Web server(s).”
Pound is dead simple to setup and configure. Unfortunately, the darwin port for pound is old and does not work. So this guide will help you build pound on your own. Besides, everyone feels cooler after compiling that hot fire. Click on for the steps.
- Open terminal.
- Install zlib
- Install openssl
- Install Pound 2.0 or greater
- Generate an ssl certificate.
- Create a pound.cfg file.
- Make sure that pound works.
- Turn off apache (assuming it’s running).
- Turn on pound.
- Start mongrel/webrick/lighty.
- Marvel at your wonderous creation by pointing your browser to http://localhost/ or https://localhost/
mkdir ~/temp curl -O http://www.zlib.net/zlib-1.2.3.tar.gz tar xzvf zlib-1.2.3.tar.gz cd zlib-1.2.3 ./configure --prefix=/usr/local --shared make sudo make install
curl -O http://www.openssl.org/source/openssl-0.9.8b.tar.gz tar xzvf openssl-0.9.8b.tar.gz cd openssl-0.9.8b ./config -L/usr/local/lib --openssldir=/usr/local/etc/openssl \\ zlib no-asm no-krb5 shared make sudo make install
curl -O http://www.apsis.ch/pound/Pound-2.0.tgz tar xzvf Pound-2.0.tgz cd Pound-2.0 sed "s/-o bin -g bin //g" < Makefile.in > Makefile.in.new mv Makefile.in.new Makefile.in # Hit y to override any restrictions ./configure --with-ssl=/usr/local/etc/openssl/ --prefix=/usr/local make sudo make install
You can put the next line in ~/.bash_profile if you want openssl available everytime you open the terminal.
export PATH="/usr/local/etc/openssl/bin:$PATH" sudo openssl/bin/openssl req -x509 -newkey rsa:1024 -keyout our_cert.pem \\ -out our_cert.pem -days 365 -nodes
Fill out the required information to generate the ssl certificate.
cd /usr/local/etc # You should already be here
This next piece uses a trick called a heredoc. Instead of copying and pasting the below command into terminal, you could also just copy and paste the text into pound.cfg in /usr/local/etc/pound.cfg
cat > ~/tmp_file <<EOF ListenHTTP Address 0.0.0.0 Port 80 Service BackEnd Address 127.0.0.1 Port 3000 End End End ListenHTTPS Address 0.0.0.0 Port 443 Cert "/usr/local/etc/our_cert.pem" # pass along https hint AddHeader "X-Forwarded-Proto: https" HeadRemove "X-Forwarded-Proto" Service BackEnd Address 127.0.0.1 Port 3000 End End End EOF sudo mv ~/tmp_file ./pound.cfg
pound -v -c
You should see Config file /usr/local/etc/pound.cfg is OK.
If not, make sure that you copied your config file correctly
using ‘cat pound.cfg’ to view what is in the file.
sudo apachectl stop
sudo pound -v
cd ~/work/my_killer_app mongrel_rails start # Or ruby script/server (if you're still on lighty/webrick)
TODO (feel free to do these and post how to do them in the comments):
- Make pound start when the computer loads.
- Use darwin ports to install zlib and openssl, but not pound.