Pound and Varnish Cache + SSL (Https Port 443) on IIS/Nginx

IIS/Nginx on 443) Port (Https SSL + Cache Varnish and Pound

1. Install and configure Pound

Varnish isn't listening on port 443 and doesn’t handle SSL traffic. 

So if you want an SSL-encrypted web site to be cached with Varnish, 

you need to intercept and decrypt the SSL traffic before it gets passed to Varnish, with a utility like the Pound reverse proxy and load balancer.


Since we only need Pound to decrypt SSL traffic, we’ll set it up to listen on port 443 and pass to Varnish on port 80.


Install pound

$ apt-get install pound


Set Pound to start on system boot (in /etc/default/pound):



Edit your Pound configuration (/etc/pound/pound.cfg):




        Port 443

        Cert "/etc/ssl/private/myserverdomain.pem"

        HeadRemove "X-Forwarded-Proto"

        AddHeader "X-Forwarded-Proto: https"




                        Port 80





The Cert directive points to your web site’s certificate for decrypting SSL traffic, and the “BackEnd” 

points to the address and port where Varnish is listening. 

Thus, SSL traffic goes from 443 (Pound) to (Varnish) to Backend (Nginx or IIS). 

We also add an HTTP header to indicate that we’re forwarding SSL traffic.


Configure varnish

Set up Varnish to listen for HTTP traffic on port 80

DAEMON_OPTS="-a :80 \

             -T localhost:6082 \

             -f /etc/varnish/default.vcl \

             -S /etc/varnish/secret \

             -s malloc,256m"


2. SSL (Https - Port 443)

to get the cert (pem file) for pound you have to do following:

Create Free SSL certificate from StartCom StartSSL

Anyone looking for a free alternative that is accepted without confirmation of the client, should take a look at StartSSL.

This offer with StartCom StartSSL Free to create an SSL certificate for a year, which is entirely free.

You will receive for the top level domain and a subdomain encrypted for free.



First, we need to invest in the somewhat confusing website StartSSL an account.

This we can accomplish in the Control Panel with the button sign up.

Then we need to specify our address, telephone number and email address.


After logging we receive via email a code that we need to specify the page to submit the registration,

to complete this. Then the address data are checked by an employee.

This may take several hours depending on the time of day. When the test is complete and the data has been accepted,

obtained a second e-mail with an activation link that we have to click and, in this another code, which is included in the email



Now we need to Generate Private Key Generate a certificate in the next step, with the browser at StartSSL in

can log created account. The default 2048 bit is fine, so we proceed by clicking Continue and then

can install the certificate.


Having signup now done, we can go in the Control Panel of the Validation Wizard StartSSL tab.

There we select Domain Name Validation and enter the next step, the domain to which we want to create an SSL certificate.

In the third step, we must choose which of the three standard e-mail addresses, a verification code is sent.

Once we receive the code by e-mail, we have to enter the last step on the website of StartSSL.


This is necessary because StartSSL must verify that the domain for which we later create an SSL certificate really belongs to us.



Created account and domain verified. Now all preparatory steps are done and we can to generate an SSL certificate

pass. For this we select the tab Certificates Wizard and there choose the type of SSL certificate that we would like to exhibit.

The steps are exemplary declared a Web server SSL / TLS Certificate, which we need for a Web server IIS or nginx.


First, we have to generate a private key. However, the private key is a key which should not be published,

this is why we should not on the website, but produce itself.


Using Microsoft IIS to Generate CSR and Private Key

How to generate a CSR in Microsoft IIS


  1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
  2. Click on the server name.
  3. From the center menu, double-click the "Server Certificates" button in the "Security" section (it is near the bottom of the menu). 
  4. Next, from the "Actions" menu (on the right), click on "Create Certificate Request." This will open the Request Certificate wizard.
  5. In the "Distinguished Name Properties" window, enter the information as follows:
  6. Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
  7. Organization - The legally registered name of your organization/company.
  8. Organizational unit - The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
  9. City/locality - The city in which your organization is located.
  10. State/province - The state in which your organization is located.
  11. Click Next.
  12. In the "Cryptographic Service Provider Properties" window, leave both settings at their defaults (Microsoft RSA SChannel and 4096) and then click next.
  13. Enter a filename for your CSR file. 
  14. Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted


Get Private Key

To get the private key on Microsoft IIS follow these instructions:


  1. From your server, go to Start > Run and enter mmc in the text box. Click on the OK button.
  2. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in.
  3. Click on the Add button. Select Certificates from the list of snap-ins and then click on the Add button.
  4. Select the Computer account option. Click on the Next button.
  5. Select the Local computer (the computer this console is running on) option. Click on the Finish button.
  6. Click on the Close  button on the snap-in list window. Click on the OK button on the Add/Remove Snap-in window.
  7. Click on Certificates from the left pane. Look for a folder called REQUEST or "Certificate Enrollment Request> Certificates
  8. Select the private key that you wish to backup. Right click on the file and choose > All Tasks > Export 
  9. The certificate export wizard will start, please click  Next  to continue. In the next window select Yes, export the private key and click Next 
  10. Leave the default settings selected and click Next.
  11. Set a password on the private key backup file and click  Next 
  12. Click on Browse and select a location where you want to save the private key Backup file to and then click Next to continue. By default the file will be saved with a .pfx extension. 
  13. Click  Finish, to complete the export process


Convert to RSA Private Key Format

The private key is backed up as a '.pfx' file, which stands for Personal Information Exchange.

To convert it to RSA Private Key format supported by inSync:

1. Download and install latest version of OpenSSL for windows from http://www.slproweb.com/products/Win32OpenSSL.html.

2. Open command prompt, navigate to C:\OpenSSL-Win32\bin>, and run the following commands.

Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg 

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

openssl rsa -in key.pem -out myserver.key

3. The private key will be saved as 'myserver.key'.

4. Carefully protect the private key. Be sure to backup the private key, as there is no means to recover it, should it be lost.


On the website of StartSSL we click Skip and are then prompted to enter the Certificate Request.

To do this we simply copy the contents of .csr in the specified field.



In the next step, we need to select one of the previously verified domains for which we want to create an SSL certificate.

We must now specify a subdomain, which will also be supported by the certificate.

Normally, you should specify www At this point, if the certificate should not be issued for a specific subdomain.

Subsequently, we have to confirm our statements again. Once done, we obtain again in the browser the message that the certificate

was requested and we will be notified via email if this is issued.


Do we have received the email in the Control Panel under Tool Box and then Retrieve Certificate the free SSL certificate

pick up that appears in a text box. We place its contents in a .crt file called from (should be replaced again).


We now have the private key and SSL certificate. Furthermore, we still need the ca.pem and sub.class1.server.ca.pem file StartSSL,

which we can download.



In conclusion, now we need to insert the SSL certificate Path in pound config.


3. Making a .pem File for SSL Certificate Installations

.pem SSL Creation Instructions

Making a .pem with the Private Key and Entire Trust Chain

Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:


The Private Key - your_domain_name.key

The Primary Certificate - your_domain_name.crt

The Intermediate Certificate - DigiCertCA.crt

The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:



(Your Private Key: your_domain_name.key) 



(Your Primary SSL certificate: your_domain_name.crt) 



(Your Intermediate certificate: sub.class1.server.ca.pem) 



(Your Root certificate: ca.pem) 



Save the combined file as your_domain_name.pem. The .pem file is now ready to use.


Don't forget to open 443 Port on your router and on your firewalls.


Done! The free SSL certificate for a domain was issued for one year and is ready for use.

Saving the comment

Add comment

Required Please choose another name

  • Comment
  • Preview