About Linux FAQ

Browse More FAQs:

Linux install and configure pound reverse proxy for Apache http / https web server

Posted by Vivek on Tuesday December 11, 07 @9:27 am

Q. How do I install and configure pound reverse proxy for Apache web sever under Debian Linux?

A. Pound is a reverse-proxy load balancing server. It accepts requests from HTTP / HTTPS clients and distributes them to one or more Web servers. The HTTPS requests are decrypted and passed to the back-ends as plain HTTP. It will act as:
a) Server load balancer
b) Reverse proxy server
c) Apache reverse proxy etc
d) It can detects when a backend server fails or recovers, and bases its load balancing decisions on this information: if a backend server fails, it will not receive requests until it recovers
e) It can decrypts https requests to http ones
f) Rejects incorrect requests
h) It can be used in a chroot environment (security feature)

If more than one back-end server is defined, Pound chooses one of them randomly, based on defined priorities. By default, Pound keeps track of associations between clients and back-end servers (sessions).

Install Pound Software

Type the following command to install pound:
$ sudo apt-get install pound
If you are using RHEL / CentOS, grab pound rpm here and type the command:
# rpm -ivh pound*
If you are using FreeBSD, enter:
# cd /usr/ports/www/pound/ && make install clean

How it works?

  • Let us assume your public IP address 202.54.1.5.
  • Pound will run on 202.54.1.5 port 80
  • It will forward all incoming http requests to internal host 192.168.1.5 and 192.168.1.10 port 80 or 443
  • Pound keeps track of associations between clients and back-end servers

Pound configuration file

  • Under Debian / Ubuntu default file located at /etc/pound/pound.cfg
  • Under FreeBSD it is located at /usr/local/etc/pound.cfg (you need to create this file)
  • Under RHEL / CentOS you need to create file at /etc/pound.cfg

Sample configuration: HTTP Proxy

Forward all incoming request at 202.54.1.5 port 80 request to 192.168.1.5 Apache server running at 8080 port:
Open /etc/pound/pound.cfg file:
# vi /etc/pound/pound.cfg
To translate HTTP requests to a local internal HTTP server, enter (make sure 192.168.1.5 Apache running listing on port 8080):

ListenHTTP
         Address 202.54.1.5
         Port    80
         Service
                  BackEnd
                       Address 192.168.1.5
                       Port    8080
                  End
          End
End

Save and close the file. Restart pound:
# /etc/init.d/pound restart

Following example will distribute the all HTTP/HTTPS requests to two Web servers:

ListenHTTP
          Address 202.54.1.5
          Port    80
End

ListenHTTPS
         Address 202.54.1.5
         Port    443
         Cert    "/etc/ssl/local.server.pem"
End
Service
                  BackEnd
                      Address 192.168.1.5
                      Port    80
                  End
                  BackEnd
                      Address 192.168.1.6
                      Port    80
                  End
End

For testing purpose you may generate self signed ssl certificate (/etc/ssl/local.server.pem), by entering the following command:
# cd /etc/ssl && openssl req -x509 -newkey rsa:1024 -keyout local.server.pem -out local.server.pem -days 365 -nodes

Pound log file

By default pound log message using syslog:
# tail -f /var/log/messages
# grep pound /var/log/messages

Sample complete configuration file

## Minimal sample pound.cfg
######################################################################
## global options:
User		"www-data"
Group		"www-data"
#RootJail	"/chroot/pound"
## Logging: (goes to syslog by default)
##	0	no logging
##	1	normal
##	2	extended
##	3	Apache-style (common log format)
LogLevel	1
## check backend every X secs:
Alive		30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine	""

######################################################################
## listen, redirect and ... to:
# Here is a more complex example: assume your static images (GIF/JPEG) are to be served from  a  single  back-end  192.168.0.10.  In
#       addition,  192.168.0.11  is  to  do  the  hosting for www.myserver.com with URL-based sessions, and 192.168.0.20 (a 1GHz PIII) and
#       192.168.0.21 (800Mhz Duron) are for all other requests (cookie-based sessions).  The logging will be done by the back-end servers.
#       The configuration file may look like this:
              # Main listening ports
              ListenHTTP
                  Address 202.54.1.10
                  Port    80
                  Client  10
              End
              ListenHTTPS
                  Address 202.54.1.10
                  Port    443
                  Cert    "/etc/pound/pound.pem"
                  Client  20
              End

              # Image server
              Service
                  URL ".*.(jpg|gif)"
                  BackEnd
                      Address 192.168.1.10
                      Port    80
                  End
              End
             # Virtual host www.myserver.com
              Service
                  URL         ".*sessid=.*"
                  HeadRequire "Host:.*www.nixcraft.com.*"
                  BackEnd
                      Address 192.168.1.11
                      Port    80
                  End
                  Session
                      Type    PARM
                      ID      "sessid"
                      TTL     120
                  End
              End

              # Everybody else
              Service
                  BackEnd
                      Address 192.168.1.20
                      Port    80
                      Priority 5
                  End
                  BackEnd
                      Address 192.168.1.21
                      Port    80
                      Priority 4
                  End
                  Session
                      Type    COOKIE
                      ID      "userid"
                      TTL     180
                  End
              End

Suggested readings:

=> Pound project
=> Man pages : pound and poundctl

Subscribe to our free e-mail newsletter or RSS feed to get all updates. You can Email this page to a friend.

Related Linux / UNIX FAQ:

Discussion on This FAQ

  1. `ariel Says:

    Nice !!! a few weeks ago i was googling for something like this for hours !!!

  2. vivek Says:

    Pound is simple and very nice. Many large site such as wordpress.com uses pound.

  3. Calomel Says:

    I would highly suggest pound or lighttpd as a reverse proxy. As of version 2.4e, Pound is extremely fast and stable. Lighttpd did have some problems in the past and most of those have been fixed. Memeory managment has been greatly improved. I have to agree about the documentation, but there are examples like the following to help everyone out:

    Pound Reverse Proxy “how “to”
    http://calomel.org/pound.html

    Light webserver “how to”
    http://calomel.org/lighttpd.html

  4. vivek Says:

    Calomel,

    Thanks for sharing your links. You got some pretty good stuff :)

  5. Babar Says:

    I am having the same thing using squid as reverse proxy. Seems to be doing pretty well for the time being.

  6. Erik Says:

    To bad it doesn’t do caching. Also crossraods is a good LB as-well.

  7. ajay Says:

    i have a linux system white box loaded. tell me how to configure its lan card for internet connection while server proxy address= 192.168.10.1
    port : 6080

  8. McKeder Says:

    I am extremely happy to have a tutorial like this. Until Recently, I had no idea what a Reverse Proxy was and this really helped me to understand it.

    Thanks! and keep up all the great work!

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Please do not use the comment form to ask for help / question. Ask your question on the excellent Linux tech support forum. Thank you very much for stopping by our site!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Tags: , , , , , , , , , ~ Last updated on: December 13, 2007

Copyright © 2006-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.