Get to know this reverse proxy load balancer for web traffic with SSL support.
The great thing about Open Source is the large variety of choices you have to solve a particular problem. Previously, the September 2006 “Tech Support” introduced Perlbal, a Perl-based reverse proxy load balancer written by Danga. This month, let’s look at another reverse proxy load balancer named Pound.
Pound was written with security in mind, so the daemon is very small, can run in a chroot jail, and runs setuid as a non- root user. Pound is also an SSL wrapper and HTTP(S) sanitizer. You can download Pound here. It’s provided per the terms of the GNU Public License.
After downloading and unpacking the source tarball, installation is the standard
./configure&&make&&make install. (If you plan on utilizing Pound’s SSL support, specify
./configure â€“â€“with-ssl. Look for the pound executable in /usr/local/sbin and look for the configuration file, pound.cfg, in /usr/local/etc.
If you’re using Pound in a highly-trafficked transaction environment, you can boost performance if the Perl Comparible Regular Expression (PCRE) package is installed, and if you like against the tcmalloc library found in the Google perftools package.
Next, configure Pound. Here’s a simple pound.cfg file:
This instructs Pound to listen on the public IP address
126.96.36.199 and pass requests evenly to the two backend machines named with
Service. If the machines have significantly different resources available to them, you can alter the odds of a server being chosen with the
Priority directive. Values may be 1 through 9, where the value 9 means use most often, and the value
1 means least frequent. Pound balances servers dynamically: if a server goes down, Pound automatically removes the system from the pool of available servers.
Many web applications use sessions and Pound can track sessions between a client browser and the host backend server. Pound supports five techniques: client IP address, basic authentication, URL parameter, cookie value, and header value. Only one session definition is allowed per
For example, to use client IP-based tracking that keeps sessions active for ten minutes, add the following to your Pound config file:
To harden Pound, run the daemon as a non-privileged user. To do this, use the
Group directives to specify the user and group, respectively:
Additionally, you should consider running Pound in a chroot jail, which precludes the daemon from accessing any files outside those in the jail.
To help test and refine your configuration, you can increase the
LogLevel parameter to extract extra information.
Keep in mind that after adding Pound into your network setup, your backend servers will log the IP address of your Pound machine instead of the client IP of the person browsing your site. As a general rule, Pound passes all headers as set by the client to the backend servers, with two exceptions: Pound adds a
X-Forwarded-For header, and may add information about the SSL certificate.
You can use the X-Forwarded-for header to update your logging mechanism to record the correct information.
For example, If you’re using Apache combined logging, replace the letter
h (remote host) with:
In addition to the baseline features listed here, Pound also supports HTTPS decryption, WebDAV, dynamic rescaling, arbitrary regular expression rules for selecting backends, and more. The man page for pound provides a detailed description of every option available and is worth taking the time to read through.