Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
By jeremy at 2007-10-12 17:13
Beat Traffic into Shape with Pound
Linux Magazine
By Jeremy Garcia
The great thing about Open Source is the large variety of choices you have to solve a particular problem. Previously, the September 2006 "Tech Support" introduced Perlbal, a Perl-based reverse proxy load balancer written by Danga. This month, let's look at another reverse proxy load balancer named Pound.
Pound was written with security in mind, so the daemon is very small, can run in a chroot jail, and runs setuid as a non- root user. Pound is also an SSL wrapper and HTTP(S) sanitizer. You can download Pound here. It's provided per the terms of the GNU Public License.
After downloading and unpacking the source tarball, installation is the standard ./configure&&make&&make install. (If you plan on utilizing Pound's SSL support, specify ./configure ––with-ssl. Look for the pound executable in /usr/local/sbin and look for the configuration file, pound.cfg, in /usr/local/etc.
If you're using Pound in a highly-trafficked transaction environment, you can boost performance if the Perl Comparible Regular Expression (PCRE) package is installed, and if you like against the tcmalloc library found in the Google perftools package.
Next, configure Pound. Here's a simple pound.cfg file:
Code:
ListenHTTP
Address 1.2.3.4
Port 80
Service
Backend
Address 192.168.0.1
Port 80
End
Backend
Address 192.168.0.2
Port 80
End
End
This instructs Pound to listen on the public IP address 1.2.3.4 and pass requests evenly to the two backend machines named with Service. If the machines have significantly different resources available to them, you can alter the odds of a server being chosen with the Priority directive. Values may be 1 through 9, where the value 9 means use most often, and the value 1 means least frequent. Pound balances servers dynamically: if a server goes down, Pound automatically removes the system from the pool of available servers.
Many web applications use sessions and Pound can track sessions between a client browser and the host backend server. Pound supports five techniques: client IP address, basic authentication, URL parameter, cookie value, and header value. Only one session definition is allowed per Service.
For example, to use client IP-based tracking that keeps sessions active for ten minutes, add the following to your Pound config file:
Code:
Session
Type IP
TTL 600
End
To harden Pound, run the daemon as a non-privileged user. To do this, use the User and Group directives to specify the user and group, respectively:
Code:
User "nobody"
Group "nobody"
Additionally, you should consider running Pound in a chroot jail, which precludes the daemon from accessing any files outside those in the jail.
To help test and refine your configuration, you can increase the LogLevel parameter to extract extra information.
Keep in mind that after adding Pound into your network setup, your backend servers will log the IP address of your Pound machine instead of the client IP of the person browsing your site. As a general rule, Pound passes all headers as set by the client to the backend servers, with two exceptions: Pound adds a X-Forwarded-For header, and may add information about the SSL certificate.
You can use the X-Forwarded-for header to update your logging mechanism to record the correct information.
For example, If you're using Apache combined logging, replace the letter h (remote host) with:
Code:
\"%{X-Forwarded-for}i\"
In addition to the baseline features listed here, Pound also supports HTTPS decryption, WebDAV, dynamic rescaling, arbitrary regular expression rules for selecting backends, and more. The man page for pound provides a detailed description of every option available and is worth taking the time to read through.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.