1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
|
FREQUENTLY ASKED QUESTIONS
1. General
==========
1.1 Will Pound run my Web application?
No. Pound is a proxy, not a Web server - it does not deliver content by
itself. It is just the middle-man between a client and a server.
1.2 Will Pound make my server go faster?
No. Pound is just a proxy - no caching of any kind takes place. Pound
IS able to distribute requests between several back-end servers, thus
allowing for faster overall response times, but it won't speed-up a
single Web sever.
1.3 Will Pound make my server more secure?
Probably yes. Pound has its own checks on the validity of HTTP requests
and often catches malicious requests that are used to attack Web servers.
1.4 Can I use Pound to change/rewrite/redirect requests?
No. Pound tries to be as transparent as possible - ideally a client
should not be aware that there is anything between itself and the actual
Web server.
1.5 Can I use Pound to deny certain requests?
Yes. Pound has quite a good mechanism for classifying requests and it
can deny/reject certain requests based on URL and/or header content.
2. Configuration, Compilation and Installation
==============================================
2.1 I try to compile and it fails on "needs OpenSSL with thread support"
Pound is a multi-threaded program and it needs an OpenSSL library
compiled with thread support (optional in the OpenSSL configuration and
absent in some default installations, such as *BSD). If your default
library does not support threads you must install a thread-enabled
version.
2.2 Pound compiles correctly but crashes on *BSD
On some of the newer versions of *BSD (FreeBSD 5.x, OpenBSD 3.3) the
Pound autoconf does not correctly recognize the threading library. Add
manually to the generated Makefile the option -DNEED_STACK in the
CFLAGS.
2.3 I want to run Pound with daemon-tools but it goes to background
You need to configure Pound for non-daemon operations: run configure
with the --disable-daemon option.
2.4 Pound runs OK but some normal requests are rejected with "bad URL"
Pound checks the requested URLs quite thoroughly and rejects malformed
or illegal URLs - or at least illegal according to the RFCs. See the
man page for details on CSsegment and associated parameters.
2.5 Pound runs OK but I get a "pthread_create" error message
You may be hitting the system limit on the number of processes. On
systems that implement threads as processes (as Linux does) you should
make sure that the Pound process has permission to start a sufficient
number of processes.
In some rare cases you may be running into the system limit on the
number of threads. Check your system details for the value of
PTHREAD_THREADS_MAX. If needed you must recompile the threads library
with a higher value.
2.6 What resources does Pound need/use?
That depends very much on your system. On some systems, such as Linux
and System V (AIX, HP-UX, etc), threads are implemented as processes,
which means you must allow enough processes to run. On other systems,
such as *BSD, where threads are implemented in user space (in-process),
you should make sure that Pound can use sufficient memory for all the
threads and that the process is allowed to use enough file descriptors
(2 per active connection). Finally, on systems that implement threads
natively, such as Solaris, you need to make sure that enough threads
and open file descriptors are allowed.
2.7 Is NPTL supported?
Theoretically Pound will work with any POSIX-compliant threads package.
In practice some of the newer NPTL implementations still have some
bugs. At least on Linux running Pound with LD_ASSUME_KERNEL=2.4.19
seems to be helpful.
3. Virtual Hosts
================
3.1 How do I redirect specific virtual hosts to specific back-ends?
Make the virtual host mandatory in the UrlGroup. For example, to have
all requests to www.a.com go to 192.168.0.10 and all requests for
www.b.com go to 192.168.0.20, define
UrlGroup ".*"
HeadRequire Host ".*www.a.com.*"
HeadDeny Host ".*www.b.com.*"
BackEnd 192.168.0.10
EndGroup
UrlGroup ".*"
HeadRequire Host ".*www.b.com.*"
HeadDeny Host ".*www.a.com.*"
BackEnd 192.168.0.20
EndGroup
in your config file.
3.2 How do I redirect requests to specific back-ends based on the client
address?
You can do it easier via the packet filter you use. If you insist on
having Pound do it use a combination of port redirection and separate
instances of Pound for each port. For example, assume you want intranet
clients (on 192.168.100.0/24) to use the server at 192.168.1.10 and
external clients go to 192.168.1.20. Do the following:
- redirect requests from 192.168.100.0/24 to port 8080
pf: rdr on rl0 from 192.168.100.0/24 to 192.168.100.1 port 80 \
-> localhost port 8080
netfilter: iptables -t nat -A PREROUTING -p tcp \
-s 192.168.100.0/24 --dport 80 -i eth0 -j DNAT \
--to localhost:8080
- redirect requests from anywhere else to port 8081
pf: rdr on rl0 from any to 192.168.100.1 port 80 \
-> localhost port 8081
netfilter: iptables -t nat -A PREROUTING -p tcp \
--dport 80 -i eth0 -j DNAT --to localhost:8081
- have an instance of Pound listening on 8080 and sending the
requests to 192.168.1.10
- have an instance of Pound listening on 8081 and sending the
requests to 192.168.1.20
3.3 What happens when my server replies with a redirect?
Depending on configuration, Pound can watch for redirect replies from back-ends
and change them to the correct address. In order for this to happen the
following conditions must be met:
- Pound has "RewriteRedirect 1" (default).
- the back-end replies with a redirect. The address of that URL resolves to
the same address as the one Pound is listening on or the address of one of
the back-ends.
This also implies that in some cases a "ListenHTTP *,..." may disable the URL
rewriting. This feature is commonly used when Pound serves as a HTTPS wrapper,
as the backend redirect to "Location: http://x.y.com" is rewritten as
"Location: https://x.y.com".
4. HTTPS
========
4.1 Can I have Pound force HTTPS connections to certain URLs/back-ends?
No. You can have Pound listen only for SSL connections, but if it
accepts both HTTP and HTTPS the requests are distributed among all
back-ends.
The easiest solution to this is to have your Web application check for
HTTPS headers that Pound adds to the request, and reject the request
when they are missing.
Alternately you could start two separate instances of Pound, one for
HTTP and one for HTTPS connections.
4.2 How can I do virtual hosting with HTTPS?
The simple answer is that neither you, nor anybody else can, due to a
limitation of the HTTPS protocol. In its simplest form an HTTPS (SSL)
connection goes through the following stages:
- negotiation: the client contacts the server, receives a certificate
from it, and negotiates the protocol details (cipher parameters, etc).
- authentication: the client checks that the certificate received matches
the server it wanted and validates that the certificate is correct as
attested by some certificate authority.
- request/response: normal HTTP, encrypted in transit.
As you can see the certificate is sent before any request was received.
Unfortunately, the first request specifies the virtual host that the
client would like to talk to - and it may not match the server name in
the certificate.
4.3 Pound does not start with message "can't read private key"
The file you specify in the ListenHTTPS directive must contain both the
server certificate and the private key to it in PEM format. See the man
page for SSL_CTX_use_PrivateKey_file(3) for details.
4.4 How can a back-end know that the connection is via HTTPS?
Pound can add a header for incoming requests indicating that they were
received via HTTPS. See the details on HTTPSHeaders in the man page.
4.5 HTTPS connections fail when Pound runs chrooted
The OpenSSL library requires access to /dev/urandom for its random seed.
The normal device is not accessible in a jail root. You should add a
link to the device to make it accessible. On Linux this would be:
mknod /var/pound/dev/urandom c 1 9
assuming that /var/pound is the root jail.
4.6 How can I force a back-end to generate the correct URL with HTTPS
There is no simple answer to this question - each server and application
have their own way of doing things. If your server does not use absolute
paths then all is well - things will run out of the box. However if some
frames, images, links or a base tag are generated with an absolute path
you must find a way to force the generation with https://.
4.7 How can I find out about the client certificate in my application?
For requests via HTTPS connections Pound can add the details of the
client certificate as headers to each and every request it passes to
the back-end. See the details on HTTPSHeaders in the man page.
4.8 Can Pound use my crypto accelerator hardware?
Pound supports the OpenSSL engine architecture. If your crypto card is
supported by OpenSSL then it is supported by Pound. See the SSLEngine
directive in the man page.
4.9 Can Pound use HTTPS back-end servers?
No, that is not supported: such a connection would break a lot of things,
either security (Pound would effectively act as a man-in-the-middle,
breaking the end-to-end integrity of SSL) or functionality (if Pound
would just pass encrypted data back and forth things like session
tracking and validity checking would be impossible). This means that
such support is unlikely to ever be part of Pound.
5. Session tracking
===================
5.1 Can I have session tracking based on URL and/or Cookie?
Pound can track sessions based on client IP address, a cookie, an URL
parameter or BasicAuthentication. These options are mutually exclusive -
only one of them can be used per UrlGroup.
5.2 When does a session expire?
A session is kept for the specified number of seconds. If during this
time no new request was received the session is discarded.
5.3 Does Pound create/track its own sessions?
No. Pound does not add anything to the requests or the responses - it
uses the tokens generated by the back-end servers exclusively.
6. Logging
==========
6.1 Can I use Webalizer on Pound log files?
Yes. If you use LogLevel 3 or 4 Pound uses one of the standard log
formats that are recognized by applications such as Webalizer. You will
have to remove the time-stamp generated by the syslog - see cut(1) for
details.
6.2 How do I log the original client address in the back-end log?
Pound adds the X-Forwarded-for header with the original client address
to every request. Use it for your logs on the back-end servers.
6.3 How can I separate the Pound log from other syslog messages?
If you use the syslog facility you can configure it to send the pound
messages to a separate file. You may want to separate by severity as
well - normal log messages use LOG_INFO, everything else is not request
information. See syslogd(8) for details on how to configure it.
6.4 How can I separate error messages from normal log messages?
If you use syslog: normal requests are logged at LOG_INFO, everything
else is higher.
If you run without syslog: normal request logging to stdout, everything
else to stderr.
6.5 Why does Pound not log anything when chrooted?
On some systems you need access to /dev/log in order to use the syslog(8)
facility. Create the device as needed in the root jail you use.
6.6 Why can't Pound log directly to a file?
This is a security requirement. As things stand, Pound does not write at
all to the disk. The existing tools - such as syslog - allow all the
flexibility one could wish for.
If you absolutely must you can try the patches from Shinji Tanaka (see
http://www.hatena-inc.co.jp/~stanaka/pound/ for details).
7. WebDAV
=========
7.1 I compiled Pound with DAV support but it still rejects the requests
You also need to define "WebDAV 1" in your config file, and (depending on
your server or application) "ExtendedHTTP 1" as well.
7.3 Can I use Pound as a front-end for Subversion?
Yes. You may have some problems with using it via HTTPS, but HTTP should
work.
8. Zope
=======
8.1 What configurations is Pound most helpful for?
If you have several servers running on top of a ZEO server, Pound will
allow you to load-balance between them (BTW, this was the original
motivation for developing Pound). Pound also makes for a very good,
light-weight front-end for a single Zope - exposing the Zope Web-server
directly on the big, bad Internet is not a very good idea.
8.2 Can I have virtual hosts in Zope without Apache?
Yes. Despite persistent rumors, the Virtual Host Monster works perfectly
well on its own (dark incantations at midnight in the shade of the
cross-shaped oak branch are NOT required). All you need to do is to
add a VHM in the Zope root, click on the Mappings tab and add whatever
hosts you need.
8.3 Can I have HTTPS for Zope?
Yes. Pound will happily pass SSL requests to Zope. You have two possible
methods to force Zope to generate responses with the https:// prefix:
- if all you need is a specific area to be accessible only through HTTPS
you can add a SiteRoot with the correct name.
- alternately the Pound distribution includes patches for z2.py that
include a new -y flag for a "https://" port.
8.4 Can I force HTTPS for certain areas in Zope?
Yes. Add a check for the SSL-specific headers in the dtml_header or
whatever equivalent you use. See the details on HTTPSHeaders in the man
page.
9. Miscellaneous/MS
===================
9.1 IE fails to connect to Pound via HTTPS
Define the ciphers to be "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
in the config file. We have had reports of IE problems with other
ciphers.
9.2 IE has big delays in getting replies from Pound
Try a shorter Client timeout. IE uses exactly 4 sockets, and as long as
they stay open it won't do anything else. A short Client value will
force the socket(s) to be closed earlier, thus avoiding annoying waits.
9.3 I try to run MS OWA and Pound rejects the requests
Make sure you configured Pound with --enable-msdav. Make sure you
included "WebDAV 1" in the config file. Pray that MS would adhere to
some known standard. Repeat as necessary.
9.4 How can I force OWA to accept HTTPS requests?
Make sure to define
HTTPSHeaders 1 "Front-End-Https: on"
in the config file. This will force OWA to generate the responses with
the correct protocol.
|
