Pound - Reverse Proxy Server

This page describes the installation and configuration of the Pound Reverse Proxy Server. The Pound Reverse Proxy server will allow an administrator to run two or more Web Servers behind one Router, with one static WAN IP, for delivering all of the different Websites that are Hosted on the servers behind the Router.

How it works

  • Let us assume your public IP address is 202.54.1.5.
  • Pound will run on 202.54.1.5 port 80
  • It will forward all incoming HTTP requests to the internal hosts 192.168.1.5 and 192.168.1.10 port 80 or 443 based on rules set by you like domainnames, header information, urlendings and so on ..
  • Pound keeps track of associations between clients and back-end servers like sessions and cookies

pound.png

Pound Installation

sudo apt-get install pound

Pound Configuration

Edit the Pund Confiuration File

sudo nano /etc/pound/pound.cfg

Example Configurations

Filter traffic based on destination DNS name

This Configuration is one of the most useful for delivering the content of the different Sites that are Virtual Hosted on the several Servers behind the router with one WAN IP.

Service
     HeadRequire "Host:.*myotherdomain.com.*"
     BackEnd
          Address 192.168.1.8
          Port 80
     End
End

Redirect image and CSS requests to a separate server

Another cool trick with Pound is to send all your static content to one server like LightHTTPD while pulling your PHP DB enabled content from Apache. That's easily done with URL matching

Service
     URL "/(images|js|css)/"
     BackEnd
          Address 192.168.1.80
          Port    81  #This is where LightHTTPD is running
     End
End

Filter traffic based on headers

Another neat trick is to filter your end-users based on headers provided by the client. For instance, say your website should never be contacted by anything except an actual browser and you're concerned with the possibility of people writing programs to pull data from the site, you can add a Service that filters them out:

Service
     HeadRequire "User-Agent:.*Microsoft URL Control.*"
     Redirect "http://www.microsoft.com"
End

Redirect all HTTP traffic to an SSL url

It's easy to have pound do browser redirects for you. For instance, if your server farm is going to require SSL connections, you can automatically redirect any of the non-SSL connection attempts to the proper URL

ListenHTTP
     Address 192.168.1.5
     Port    80
     Service
          Redirect "https://my.example.com/"
     End
End

Handle SSL at the proxy

If your server farm will be using SSL, but you will have multiple servers on the backend which might make handling SSL certificates a bit sketchy, you can have Pound do the SSL encryption/decryption as the traffic leaves your LAN, and use standard HTTP requests within your local network

ListenHTTPS
     Address 192.168.1.5
     Port    443
     Cert    "/etc/apache2/ssl/mycertificate.pem"
     Service
           BackEnd
                  Address 192.168.1.80
                  Port 80
           End
           BackEnd
                  Address 192.168.1.81
                  Port 80
           End
     End
End

Enabling Pound to start

sudo nano /etc/default/pound

Change it from startup=0 to startup=1. Before doing this, Pound will refuse to start.

startup=1

Starting Pound as Daemon Service

sudo /etc/init.d/pound start

Stoping Pound as Daemon Service

sudo /etc/init.d/pound stop

Pound log file

By default pound log message using syslog:

# tail -f /var/log/messages
# grep pound /var/log/messages

What Pound Is

Pound is a reverse proxy - that means you put it on the server in front of your web services, not in front of your clients who need to connect to the general Internet. It takes web requests from end-users and distributes them among several web servers or services you may be running. Pound is also load balancing, so you can run multiple servers that look to the outside world as if they are just one, allowing you to spread the workload around.

What Pound Is Not

Pound proxy is NOT a caching proxy. By itself it won't help to speed up your server or network, but there is a lot of flexibility in Pound that will help you overall.

Sample complete configuration file

## Minimal sample pound.cfg
######################################################################
## global options:
User            "www-data"
Group           "www-data"
#RootJail       "/chroot/pound"
## Logging: (goes to syslog by default)
##      0       no logging
##      1       normal
##      2       extended
##      3       Apache-style (common log format)
LogLevel        1
## check backend every X secs:
Alive           30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine      ""

######################################################################
## listen, redirect and ... to:
# Here is a more complex example: assume your static images (GIF/JPEG) are to be served from  a  single  back-end  192.168.0.10.  In
#       addition,  192.168.0.11  is  to  do  the  hosting for www.myserver.com with URL-based sessions, and 192.168.0.20 (a 1GHz PIII) and
#       192.168.0.21 (800Mhz Duron) are for all other requests (cookie-based sessions).  The logging will be done by the back-end servers.
#       The configuration file may look like this:
              # Main listening ports
              ListenHTTP
                  Address 202.54.1.10
                  Port    80
                  Client  10
              End
              ListenHTTPS
                  Address 202.54.1.10
                  Port    443
                  Cert    "/etc/pound/pound.pem"
                  Client  20
              End

              # Image server
              Service
                  URL ".*.(jpg|gif)"
                  BackEnd
                      Address 192.168.1.10
                      Port    80
                  End
              End
             # Virtual host www.myserver.com
              Service
                  URL         ".*sessid=.*"
                  HeadRequire "Host:.*www.nixcraft.com.*"
                  BackEnd
                      Address 192.168.1.11
                      Port    80
                  End
                  Session
                      Type    PARM
                      ID      "sessid"
                      TTL     120
                  End
              End

              # Everybody else
              Service
                  BackEnd
                      Address 192.168.1.20
                      Port    80
                      Priority 5
                  End
                  BackEnd
                      Address 192.168.1.21
                      Port    80
                      Priority 4
                  End
                  Session
                      Type    COOKIE
                      ID      "userid"
                      TTL     180
                  End
              End

Further Documentation


CategoryNetworking

Pound (last edited 2010-06-29 16:09:58 by pool-96-243-142-10)