LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Articles > Jeremy's Magazine Articles
User Name
Password

Notices

By jeremy at 2007-10-12 17:13
Beat Traffic into Shape with Pound
Linux Magazine
By Jeremy Garcia

The great thing about Open Source is the large variety of choices you have to solve a particular problem. Previously, the September 2006 "Tech Support" introduced Perlbal, a Perl-based reverse proxy load balancer written by Danga. This month, let's look at another reverse proxy load balancer named Pound.

Pound was written with security in mind, so the daemon is very small, can run in a chroot jail, and runs setuid as a non- root user. Pound is also an SSL wrapper and HTTP(S) sanitizer. You can download Pound here. It's provided per the terms of the GNU Public License.

After downloading and unpacking the source tarball, installation is the standard ./configure&&make&&make install. (If you plan on utilizing Pound's SSL support, specify ./configure ––with-ssl. Look for the pound executable in /usr/local/sbin and look for the configuration file, pound.cfg, in /usr/local/etc.

If you're using Pound in a highly-trafficked transaction environment, you can boost performance if the Perl Comparible Regular Expression (PCRE) package is installed, and if you like against the tcmalloc library found in the Google perftools package.

Next, configure Pound. Here's a simple pound.cfg file:

Code:
ListenHTTP
Address 1.2.3.4
Port 80
Service
  Backend
	Address 192.168.0.1
	Port 80
  End
  Backend
	Address 192.168.0.2
	Port 80
  End
End
This instructs Pound to listen on the public IP address 1.2.3.4 and pass requests evenly to the two backend machines named with Service. If the machines have significantly different resources available to them, you can alter the odds of a server being chosen with the Priority directive. Values may be 1 through 9, where the value 9 means use most often, and the value 1 means least frequent. Pound balances servers dynamically: if a server goes down, Pound automatically removes the system from the pool of available servers.

Many web applications use sessions and Pound can track sessions between a client browser and the host backend server. Pound supports five techniques: client IP address, basic authentication, URL parameter, cookie value, and header value. Only one session definition is allowed per Service.

For example, to use client IP-based tracking that keeps sessions active for ten minutes, add the following to your Pound config file:

Code:
Session
  Type IP
  TTL 600
End
To harden Pound, run the daemon as a non-privileged user. To do this, use the User and Group directives to specify the user and group, respectively:

Code:
User    "nobody"
Group   "nobody"
Additionally, you should consider running Pound in a chroot jail, which precludes the daemon from accessing any files outside those in the jail.

To help test and refine your configuration, you can increase the LogLevel parameter to extract extra information.

Keep in mind that after adding Pound into your network setup, your backend servers will log the IP address of your Pound machine instead of the client IP of the person browsing your site. As a general rule, Pound passes all headers as set by the client to the backend servers, with two exceptions: Pound adds a X-Forwarded-For header, and may add information about the SSL certificate.

You can use the X-Forwarded-for header to update your logging mechanism to record the correct information.

For example, If you're using Apache combined logging, replace the letter h (remote host) with:

Code:
\"%{X-Forwarded-for}i\"
In addition to the baseline features listed here, Pound also supports HTTPS decryption, WebDAV, dynamic rescaling, arbitrary regular expression rules for selecting backends, and more. The man page for pound provides a detailed description of every option available and is worth taking the time to read through.


  



All times are GMT -5. The time now is 07:32 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration