Pound - Reverse Proxy Server
This page describes the installation and configuration of the Pound Reverse Proxy Server. The Pound Reverse Proxy server will allow an administrator to run two or more Web Servers behind one Router, with one static WAN IP, for delivering all of the different Websites that are Hosted on the servers behind the Router.
How it works
- Let us assume your public IP address is 202.54.1.5.
- Pound will run on 202.54.1.5 port 80
- It will forward all incoming HTTP requests to the internal hosts 192.168.1.5 and 192.168.1.10 port 80 or 443 based on rules set by you like domainnames, header information, urlendings and so on ..
- Pound keeps track of associations between clients and back-end servers like sessions and cookies
Pound Installation
sudo apt-get install pound
Pound Configuration
Edit the Pund Confiuration File
sudo nano /etc/pound/pound.cfg
Example Configurations
Filter traffic based on destination DNS name
This Configuration is one of the most useful for delivering the content of the different Sites that are Virtual Hosted on the several Servers behind the router with one WAN IP.
Service
HeadRequire "Host:.*myotherdomain.com.*"
BackEnd
Address 192.168.1.8
Port 80
End
End
Redirect image and CSS requests to a separate server
Another cool trick with Pound is to send all your static content to one server like LightHTTPD while pulling your PHP DB enabled content from Apache. That's easily done with URL matching
Service
URL "/(images|js|css)/"
BackEnd
Address 192.168.1.80
Port 81 #This is where LightHTTPD is running
End
End
Filter traffic based on headers
Another neat trick is to filter your end-users based on headers provided by the client. For instance, say your website should never be contacted by anything except an actual browser and you're concerned with the possibility of people writing programs to pull data from the site, you can add a Service that filters them out:
Service
HeadRequire "User-Agent:.*Microsoft URL Control.*"
Redirect "http://www.microsoft.com"
End
Redirect all HTTP traffic to an SSL url
It's easy to have pound do browser redirects for you. For instance, if your server farm is going to require SSL connections, you can automatically redirect any of the non-SSL connection attempts to the proper URL
ListenHTTP
Address 192.168.1.5
Port 80
Service
Redirect "https://my.example.com/"
End
End
Handle SSL at the proxy
If your server farm will be using SSL, but you will have multiple servers on the backend which might make handling SSL certificates a bit sketchy, you can have Pound do the SSL encryption/decryption as the traffic leaves your LAN, and use standard HTTP requests within your local network
ListenHTTPS
Address 192.168.1.5
Port 443
Cert "/etc/apache2/ssl/mycertificate.pem"
Service
BackEnd
Address 192.168.1.80
Port 80
End
BackEnd
Address 192.168.1.81
Port 80
End
End
End
Enabling Pound to start
sudo nano /etc/default/pound
Change it from startup=0 to startup=1. Before doing this, Pound will refuse to start.
startup=1
Starting Pound as Daemon Service
sudo /etc/init.d/pound start
Stoping Pound as Daemon Service
sudo /etc/init.d/pound stop
Pound log file
By default pound log message using syslog:
# tail -f /var/log/messages # grep pound /var/log/messages
What Pound Is
Pound is a reverse proxy - that means you put it on the server in front of your web services, not in front of your clients who need to connect to the general Internet. It takes web requests from end-users and distributes them among several web servers or services you may be running. Pound is also load balancing, so you can run multiple servers that look to the outside world as if they are just one, allowing you to spread the workload around.
What Pound Is Not
Pound proxy is NOT a caching proxy. By itself it won't help to speed up your server or network, but there is a lot of flexibility in Pound that will help you overall.
Sample complete configuration file
## Minimal sample pound.cfg
######################################################################
## global options:
User "www-data"
Group "www-data"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 1
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine ""
######################################################################
## listen, redirect and ... to:
# Here is a more complex example: assume your static images (GIF/JPEG) are to be served from a single back-end 192.168.0.10. In
# addition, 192.168.0.11 is to do the hosting for www.myserver.com with URL-based sessions, and 192.168.0.20 (a 1GHz PIII) and
# 192.168.0.21 (800Mhz Duron) are for all other requests (cookie-based sessions). The logging will be done by the back-end servers.
# The configuration file may look like this:
# Main listening ports
ListenHTTP
Address 202.54.1.10
Port 80
Client 10
End
ListenHTTPS
Address 202.54.1.10
Port 443
Cert "/etc/pound/pound.pem"
Client 20
End
# Image server
Service
URL ".*.(jpg|gif)"
BackEnd
Address 192.168.1.10
Port 80
End
End
# Virtual host www.myserver.com
Service
URL ".*sessid=.*"
HeadRequire "Host:.*www.nixcraft.com.*"
BackEnd
Address 192.168.1.11
Port 80
End
Session
Type PARM
ID "sessid"
TTL 120
End
End
# Everybody else
Service
BackEnd
Address 192.168.1.20
Port 80
Priority 5
End
BackEnd
Address 192.168.1.21
Port 80
Priority 4
End
Session
Type COOKIE
ID "userid"
TTL 180
End
End