1POUND(8) System Manager's Manual POUND(8)
2
6 pound - HTTP/HTTPS reverse-proxy and load-balancer
7
9 pound [-v] [-c] [-V] [-f config_file] [-p pid_file]
10
12 Pound is a reverse-proxy load balancing server. It accepts requests
13 from HTTP/HTTPS clients and distributes them to one or more Web
14 servers. The HTTPS requests are decrypted and passed to the back-ends
15 as plain HTTP.
16 If more than one back-end server is defined, Pound chooses one of them
18 randomly, based on defined priorities. By default, Pound keeps track of
19 associations between clients and back-end servers (sessions).
20
22 In general Pound needs three types of objects defined in order to func‐
23 tion: listeners, services and back-ends.
24 Listeners
26 A listener is a definition of how Pound receives requests from
27 the clients (browsers). Two types of listeners may be defined:
28 regular HTTP listeners and HTTPS (HTTP over SSL/TLS) listeners.
29 At the very least a listener must define the address and port to
30 listen on, with additional requirements for HTTPS listeners.
31 Services
33 A service is the definition of how the requests are answered.
34 The services may be defined within a listener or at the top
35 level (global). When a request is received Pound attempts to
36 match them to each service in turn, starting with the services
37 defined in the listener itself and, if needed, continuing with
38 the services defined at the global level. The services may
39 define their own conditions as to which requests they can
40 answer: typically this involves certain URLs (images only, or a
41 certain path) or specific headers (such as the Host header). A
42 service may also define a session mechanism: if defined future
43 requests from a given client will always be answered by the same
44 back-end.
45 Back-ends
47 The back-ends are the actual servers for the content requested.
48 By itself, Pound supplies no responses - all contents must be
49 received from a "real" web server. The back-end defines how the
50 server should be contacted.
51 Three types of back-ends may be defined: a "regular" back-end
53 which receives requests and returns responses, a "redirect"
54 back-end in which case Pound will respond with a redirect
55 response, without accessing any back-end at all, or an "emer‐
56 gency" back-end which will be used only if all other backends
57 are "dead".
58 Multiple back-ends may be defined within a service, in which
60 case Pound will load-balance between the available back-ends.
61 If a back-end fails to respond it will be considered "dead", in
63 which case Pound will stop sending requests to it. Dead back-
64 ends are periodically checked for availability, and once they
65 respond again they are "resurected" and requests are sent again
66 their way. If no back-ends are available (none were defined, or
67 all are "dead") then Pound will reply with "503 Service Unavail‐
68 able", without checking additional services.
69 The connection between Pound and the back-ends is always via
71 HTTP, regardless of the actual protocol used between Pound and
72 the client.
73
75 Options available (see also below for configuration file options):
76 -v Verbose mode: error messages will be sent to stdout even if
78 Pound was configured to log to syslog. This applies only to
79 startup messages, before Pound puts itself in the background.
80 Normal operational messages will still go to syslog.
81 -V Print version: Pound will exit immediately after printing the
83 current version and configuration flags.
84 -c Check only: Pound will exit immediately after parsing the con‐
86 figuration file. This may be used for running a quick syntax
87 check before actually activating a server.
88 -f config_file
90 Location of the configuration file (see below for a full
91 description of the format). Default: /usr/local/etc/pound.cfg
92 -p pid_file
94 Location of the pid file. Pound will write its own pid into
95 this file. Normally this is used for shell scripts that control
96 starting and stopping of the daemon. Default:
97 /var/run/pound.pid
98 In general, any number of back-end servers may be specified. Use the
100 priority to affect the load distribution among unequal-performance
101 servers.
102 One (or more) copies of Pound should be started at boot time. Use "big
104 iron" if you expect heavy loads: while Pound is as light-weight as I
105 know how to make it, with a lot of simultaneous requests it will use
106 quite a bit of CPU and memory. Multiple CPUs are your friend.
107
109 Each line in the file is considered a complete configuration directive.
110 The directives are case-insensitive. Empty lines or lines starting in
111 '#' are ignored. There are three types of directives: global directives
112 (they affect the settings for the entire program instance), listener
113 directives (they define which requests Pound will listen for), and ser‐
114 vice directives (they affect only a specific group of requests).
115
117 Global directives may appear anywhere within the configuration file,
118 though it is customary for them to be at the start. They may appear in
119 any order.
120 User "user_name"
122 Specify the user Pound will run as (must be defined in
123 /etc/passwd).
124 Group "group_name"
126 Specify the group Pound will run as (must be defined in
127 /etc/group).
128 RootJail "directory_path_and_name"
130 Specify the directory that Pound will chroot to at runtime.
131 Please note that OpenSSL requires access to /dev/urandom, so
132 make sure you create a device by that name, accessible from the
133 root jail directory. Pound may also require access to /dev/sys‐
134 log or similar.
135 Daemon 0|1
137 Have Pound run in the foreground (if 0) or as a daemon (if 1).
138 By default Pound runs as a daemon (detaches itself from the con‐
139 trolling terminal and puts itself in the background). By speci‐
140 fying this option you can force Pound to work like a regular
141 process. Useful for debugging or if you want to use something
142 like daemontools.
143 LogFacility value
145 Specify the log facility to use. value (default: daemon) must
146 be one of the symbolic facility names defined in syslog.h. This
147 facility shall be used for logging. Using a - for the facility
148 name causes Pound to log to stdout/stderr.
149 LogLevel value
151 Specify the logging level: 0 for no logging, 1 (default) for
152 regular logging, 2 for extended logging (show chosen backend
153 server as well), 3 for Apache-like format (Combined Log Format
154 with Virtual Host), 4 (same as 3 but without the virtual host
155 information) and 5 (same as 4 but with information about the
156 Service and BackEnd used). This value can be overridden for
157 specific listeners.
158 IgnoreCase 0|1
160 Ignore case when matching URLs (default: 0). This value can be
161 overridden for specific services.
162 DynScale 0|1
164 Enable or disable the dynamic rescaling code (default: 0). If
165 enabled Pound will periodically try to modify the back-end pri‐
166 orities in order to equalise the response times from the various
167 back-ends. This value can be overridden for specific services.
168 Alive value
170 Specify how often Pound will check for resurected back-end hosts
171 (default: 30 seconds). In general, it is a good idea to set this
172 as low as possible - it will find resurected hosts faster. How‐
173 ever, if you set it too low it will consume resources - so
174 beware.
175 Client value
177 Specify for how long Pound will wait for a client request
178 (default: 10 seconds). After this long has passed without the
179 client sending any data Pound will close the connection. Set it
180 higher if your clients time-out on a slow network or over-loaded
181 server, lower if you start getting DOS attacks or run into prob‐
182 lems with IE clients. This value can be overridden for specific
183 listeners.
184 TimeOut value
186 How long should Pound wait for a response from the back-end (in
187 seconds). Default: 15 seconds. This value can be overridden for
188 specific back-ends.
189 ConnTO value
191 How long should Pound wait for a connection to the back-end (in
192 seconds). Default: the TimeOut value. This value can be overrid‐
193 den for specific back-ends.
194 Grace value
196 How long should Pound continue to answer existing connections
197 after a receiving and INT or HUP signal (default: 30 seconds).
198 The configured listeners are closed immediately. You can bypass
199 this behaviour by stopping Pound with a TERM or QUIT signal, in
200 which case the program exits without any delay.
201 SSLEngine "name"
203 Use an OpenSSL hardware acceleration card called name. Available
204 only if OpenSSL-engine is installed on your system.
205 Control "/path/to/socket"
207 Set the control socket path. If not defined Pound does not lis‐
208 ten for any commands. The commands may be issued by using the
209 poundctl(8) program.
210
212 An HTTP listener defines an address and port that Pound will listen on
213 for HTTP requests. All configuration directives enclosed between Lis‐
214 tenHTTP and End are specific to a single HTTP listener. At the very
215 least you must specify and address and a port for each listener. The
216 following directives are available:
217 Address address
219 The address that Pound will listen on. This can be a numeric IP
220 address, or a symbolic host name that must be resolvable at run-
221 time. This is a mandatory parameter. The address 0.0.0.0 may be
222 used as an alias for 'all available addresses on this machine',
223 but this practice is strongly discouraged, as it will interfere
224 with the rewriting mechanisms (see below).
225 Port port
227 The port number that Pound will listen on. This is a mandatory
228 parameter.
229 xHTTP value
231 Defines which HTTP verbs are accepted. The possible values are:
232 0 (default) accept only standard HTTP requests (GET, POST,
234 HEAD).
235 1 additionally allow extended HTTP requests (PUT, DELETE).
237 2 additionally allow standard WebDAV verbs (LOCK, UNLOCK,
239 PROPFIND, PROPPATCH, SEARCH, MKCOL, MOVE, COPY, OPTIONS, TRACE,
240 MKACTIVITY, CHECKOUT, MERGE, REPORT).
241 3 additionally allow MS extensions WebDAV verbs (SUBSCRIBE,
243 UNSUBSCRIBE, NOTIFY, BPROPFIND, BPROPPATCH, POLL, BMOVE, BCOPY,
244 BDELETE, CONNECT).
245 4 additionally allow MS RPC extensions verbs (RPC_IN_DATA,
247 RPC_OUT_DATA).
248 Client value
250 Override the global Client time-out value.
251 CheckURL "pattern to match"
253 Define a pattern that must be matched by each request sent to
254 this listener. A request that does not match is considered to be
255 illegal. By default Pound accepts all requests (i.e. the pat‐
256 tern is ".*"), but you are free to limit it to something more
257 reasonable. Please note that this applies only to the request
258 path - Pound will still check that the request is syntactically
259 correct.
260 Err414 "filename"
262 A file with the text to be displayed if an Error 414 occurs.
263 Default: "Request URI is too long.".
264 Err500 "filename"
266 A file with the text to be displayed if an Error 500 occurs.
267 Default: "An internal server error occurred. Please try again
268 later.".
269 Err501 "filename"
271 A file with the text to be displayed if an Error 501 occurs.
272 Default: "This method may not be used.".
273 Err503 "filename"
275 A file with the text to be displayed if an Error 503 occurs.
276 Default: "The service is not available. Please try again
277 later.".
278 MaxRequest nnn
280 Request maximal size. All requests will be limited to these many
281 bytes. If a request contains more data than allowed an error 414
282 is returned. Default: unlimited.
283 HeadRemove "header pattern"
285 Remove certain headers from the incoming requests. All
286 occurences of the matching specified header will be removed.
287 Please note that this filtering is done prior to other checks
288 (such as HeadRequire or HeadDeny), so you should not try to
289 check for these headers in later matches. Multiple directives
290 may be specified in order to remove more than one header, and
291 the header itself may be a regular pattern (though this should
292 be used with caution).
293 AddHeader "header: to add"
295 Add the defined header to the request passed to the back-end
296 server. The header is added verbatim.
297 RewriteLocation 0|1|2
299 If 1 force Pound to change the Location: and Content-location:
300 headers in responses. If they point to the back-end itself or to
301 the listener (but with the wrong protocol) the response will be
302 changed to show the virtual host in the request. Default: 1
303 (active). If the value is set to 2 only the back-end address is
304 compared; this is useful for redirecting a request to an HTTPS
305 listener on the same server as the HTTP listener.
306 RewriteDestination 0|1
308 If 1 force Pound to change the Destination: header in requests.
309 The header is changed to point to the back-end itself with the
310 correct protocol. Default: 0.
311 LogLevel value
313 Override the global LogLevel value.
314 Service [ "name" ]
316 This defines a private service (see below for service definition
317 syntax). This service will be used only by this listener. The
318 service may be optionally named, with the name showing in the
319 poundctl listings.
320
322 An HTTPS listener defines an address and port that Pound will listen on
323 for HTTPS requests. All configuration directives enclosed between Lis‐
324 tenHTTPS and End are specific to a single HTTPS listener. At the very
325 least you must specify and address, a port and a server certificate for
326 each listener. All directives defined for HTTP listeners are applicable
327 to HTTPS listeners as well. The following additional directives are
328 also available:
329 Cert "certificate file"
331 Specify the server certificate. The certificate file is the file
332 containing the certificate, possibly a certificate chain and the
333 signature for this server. This directive is mandatory for HTTPS
334 listeners.
335 ClientCert 0|1|2|3 depth
337 Ask for the client's HTTPS certificate: 0 - don't ask (default),
338 1 - ask, 2 - ask and fail if no certificate was presented, 3 -
339 ask but do not verify. depth is the depth of verification for a
340 client certificate (up to 9).
341 Ciphers "acceptable:cipher:list"
343 This is the list of ciphers that will be accepted by the SSL
344 connection; it is a string in the same format as in OpenSSL
345 ciphers(1) and SSL_CTX_set_cipher_list(3).
346 CAlist "CAcert_file"
348 Set the list of "trusted" CA's for this server. The CAcert_file
349 is a file containing a sequence of CA certificates (PEM format).
350 The names of the defined CA certificates will be sent to the
351 client on connection.
352 VerifyList "Verify_file"
354 Set the CA (Certificate Authority). The Verify_file is a file
355 that contains the CA root certificates (in PEM format).
356 Please note: there is an important difference between the CAlist
358 and the VerifyList. The CAlist tells the client (browser) which
359 client certificates it should send. The VerifyList defines which
360 CAs are actually used for the verification of the returned cer‐
361 tificate.
362 CRLlist "CRL_file"
364 Set the CRL (Certificate Revocation List) file. The CRL_file is
365 a file that contains the CRLs (in PEM format).
366 NoHTTPS11 0|1|2
368 Behave like an HTTP/1.0 server for HTTPS clients. If this value
369 is 0 disable the check. If the value is 1 do not allow multiple
370 requests on SSL connections. If the value is 2 (default) disable
371 multiple requests on SSL connections only for MSIE clients.
372 Required work-around for a bug in certain versions of IE.
373
375 A service is a definition of which back-end servers Pound will use to
376 reply to incoming requests. A service may be defined as part of a lis‐
377 tener (in which case it will be used only by that listener), or glob‐
378 ally (which makes it available to all listeners). Pound will always
379 try the private services in the order defined, followed by the global
380 ones.
381 All configuration directives enclosed between Service and End are spe‐
383 cific to a single service. The following directives are available:
384 URL "pattern"
386 Match the incoming request. If a request fails to match than
387 this service will be skipped and next one tried. If all services
388 fail to match Pound returns an error. You may define multiple
389 URL conditions per service. If no URL was defined then all
390 requests match. The matching is by default case-sensitive, but
391 this can be overridden by specifying IgnoreCase 1
392 IgnoreCase 0|1
394 Override the global IgnoreCase setting.
395 HeadRequire "pattern"
397 The request must contain at least on header matching the given
398 pattern. Multiple HeadRequire directives may be defined per
399 service, in which case all of them must be satisfied.
400 HeadDeny "pattern"
402 The request may not contain any header matching the given pat‐
403 tern. Multiple HeadDeny directives may be defined per service,
404 in which case all of them must be satisfied.
405 Please note: if the listener defined a HeadRemove directive, the
407 matching headers are removed before the service matching is
408 attempted.
409 DynScale 0|1
411 Enable or disable dynamic rescaling for the current service.
412 This value will override the value globally defined.
413 BackEnd
415 Directives enclosed between a BackEnd and the following End
416 directives define a single back-end server (see below for
417 details). You may define multiple back-ends per service, in
418 which case Pound will attempt to load-balance between them.
419 Redirect [code] "url"
421 This is a special type of back-end. Instead of sending the
422 request to a back-end Pound replies immediately with a redirect‐
423 ion to the given URL. You may define multiple redirectors in a
424 service, as well as mixing them with regular back-ends.
425 The address the client is redirected to is determined by the
427 actual url you specify: if it is a "pure" host (i.e. with no
428 path) then the client will be redirected to the host you speci‐
429 fied, with the original request path appended. If your url does
430 contain a path then the request path is ignored.
431 Examples: if you specified
433 Redirect "http://abc.example"
435 and the client requested http://xyz/a/b/c then it will be redi‐
437 rected to http://abc.example/a/b/c, but if you specified
438 Redirect "http://abc.example/index.html"
440 it will be sent to http://abc.example/index.html.
442 Technical note: in an ideal world Pound should reply with a "307
444 Temporary Redirect" status. Unfortunately, that is not yet sup‐
445 ported by all clients (in particular HTTP 1.0 ones), so Pound
446 currently replies by default with a "302 Found" instead. You may
447 override this behaviour by specifying the code to be used (301,
448 302 or 307).
449 Emergency
451 Directives enclosed between an Emergency and the following End
452 directives define an emergency back-end server (see below for
453 details). You may define only one emergency server per service,
454 which Pound will attempt to use if all backends are down.
455 Session
457 Directives enclosed between a Session and the following End
458 directives define a session-tracking mechanism for the current
459 service. See below for details.
460
462 A back-end is a definition of a single back-end server Pound will use
463 to reply to incoming requests. All configuration directives enclosed
464 between BackEnd and End are specific to a single service. The following
465 directives are available:
466 Address address
468 The address that Pound will connect to. This can be a numeric IP
469 address, or a symbolic host name that must be resolvable at run-
470 time. If the name cannot be resolved to a valid address, Pound
471 will assume that it represents the path for a Unix-domain
472 socket. This is a mandatory parameter.
473 Port port
475 The port number that Pound will connect to. This is a mandatory
476 parameter for non Unix-domain back-ends.
477 HTTPS [ "cert" ]
479 The back-end is using HTTPS. If the optional parameter cert is
480 specified, Pound will present this certificate to the back-end.
481 Priority val
483 The priority of this back-end (between 1 and 9, 5 is default).
484 Higher priority back-ends will be used more often than lower
485 priority ones, so you should define higher priorities for more
486 capable servers.
487 TimeOut val
489 Override the global TimeOut value.
490 ConnTO val
492 Override the global ConnTO value.
493 HAport [ address ] port
495 A port (and optional address) to be used for server function
496 checks. See below the "High Availability" section for a more
497 detailed discussion. By default Pound uses the same address as
498 the back-end server, but you may use a separate address if you
499 wish. This directive applies only to non Unix-domain servers.
500
502 The emergency server will be used once all existing back-ends are
503 "dead". All configuration directives enclosed between Emergency and
504 End are specific to a single service. The following directives are
505 available:
506 Address address
508 The address that Pound will connect to. This can be a numeric IP
509 address, or a symbolic host name that must be resolvable at run-
510 time. If the name cannot be resolved to a valid address, Pound
511 will assume that it represents the path for a Unix-domain
512 socket. This is a mandatory parameter.
513 Port port
515 The port number that Pound will connect to. This is a mandatory
516 parameter for non Unix-domain back-ends.
517
519 Defines how a service deals with possible HTTP sessions. All configu‐
520 ration directives enclosed between Session and End are specific to a
521 single service. Once a sessions is identified, Pound will attempt to
522 send all requests within that session to the same back-end server.
523 The following directives are available:
525 Type IP|BASIC|URL|PARM|COOKIE|HEADER
527 What kind of sessions are we looking for: IP (the client
528 address), BASIC (basic authentication), URL (a request parame‐
529 ter), PARM (a URI parameter), COOKIE (a certain cookie), or
530 HEADER (a certain request header). This is a mandatory parame‐
531 ter.
532 TTL seconds
534 How long can a session be idle (in seconds). A session that has
535 been idle for longer than the specified number of seconds will
536 be discarded. This is a mandatory parameter.
537 ID "name"
539 The session identifier. This directive is permitted only for
540 sessions of type URL (the name of the request parameter we need
541 to track), COOKIE (the name of the cookie) and HEADER (the
542 header name).
543 See below for some examples.
545
547 Pound attempts to keep track of active back-end servers, and will tem‐
548 porarily disable servers that do not respond (though not necessarily
549 dead: an overloaded server that Pound cannot establish a connection to
550 will be considered dead). However, every Alive seconds, an attempt is
551 made to connect to the dead servers in case they have become active
552 again. If this attempt succeeds, connections will be initiated to them
553 again.
554 In general it is a good idea to set this time interval as low as is
556 consistent with your resources in order to benefit from resurected
557 servers at the earliest possible time. The default value of 30 seconds
558 is probably a good choice.
559 The clients that happen upon a dead backend server will just receive a
561 503 Service Unavailable message.
562 The HAport parameter specifies an additional port (and optionally an
564 address) that is used only for viability checks: if this port is speci‐
565 fied in a BackEnd directive, Pound will attempt periodically (every
566 Alive seconds) to connect to this port. If the port does not respond
567 the server is considered dead. It never makes sense to have the HAport
568 identical to the main back-end port: this would only generate extra,
569 unncecessary activity (CPU, network traffic) for no good reason whatso‐
570 ever. The HAport is meant for applications that offer an additional
571 health monitoring port or for installations that wish to take servers
572 off-line in a controlled manner.
573 By default the address of the HAport health monitor is the same as that
575 of the back-end server. You may specify a different address though, for
576 example if you have a monitoring program running on another host.
577
579 If a client browser connects to Pound via HTTPS and if it presents a
580 client certificate Pound adds the following headers to the request it
581 issues to the server:
582 X-SSL-Subject
584 Details about the certificate owner.
585 X-SSL-Issuer
587 Details about the certificate issuer (Certificate Authority).
588 X-SSL-notBefore
590 Starting date of certificate validity.
591 X-SSL-notAfter
593 Ending date of certificate validity.
594 X-SSL-serial
596 Certificate serial number (decimal).
597 X-SSL-cipher
599 The cipher currently in use.
600 X-SSL-certificate
602 The full client certificate (PEM-format multi-line)
603 It is the application's responsibility to actually use these headers -
605 Pound just passes this information without checking it in any way
606 (except for signature and encryption correctness).
607
609 In general, Pound does not read or write to the hard-disk. The excep‐
610 tions are reading the configuration file and (possibly) the server cer‐
611 tificate file(s) and error message(s), which are opened read-only on
612 startup, read, and closed, and the pid file which is opened on start-
613 up, written to and immediately closed. Following this there is no disk
614 access whatsoever, so using a RootJail directive is only for extra
615 security bonus points.
616 Pound tries to sanitise all HTTP/HTTPS requests: the request itself,
618 the headers and the contents are checked for conformance to the RFC's
619 and only valid requests are passed to the back-end servers. This is not
620 absolutely fool-proof - as the recent Apache problem with chunked
621 transfers demonstrated. However, given the current standards, this is
622 the best that can be done - HTTP is an inherently weak protocol.
623
625 Pound uses the system log for messages (default facility LOG_DAEMON).
626 The format is very similar to other web servers, so that if you want to
627 use a log tool:
628 fgrep pound /var/log/messages | your_log_tool
630 Translating HTTPS to HTTP is an iffy proposition: no client information
632 is passed to the server itself (certificates, etc) and the backend
633 server may be misled if it uses absolute URLs. A patch for Zope is
634 included in the distribution to address this issue - for other Web
635 servers you are on your own. May the source be with you.
636 Pound deals with (and sanitizes) HTTP/1.1 requests. Thus even if you
638 have an HTTP/1.0 server, a single connection to an HTTP/1.1 client is
639 kept, while the connection to the back-end server is re-opened as nec‐
640 essary.
641 Pound attempts to resolve the names of the hosts that appear in various
643 requests and/or responses. That means it need a functioning resolver
644 of some kind (be it /etc/hosts, DNS or something else).
645
647 To translate HTTPS requests to a local HTTP server (assuming your net‐
648 work address is 123.123.123.123):
649 ListenHTTPS
651 Address 1.2.3.4
652 Port 443
653 Cert "/etc/pound/server.pem"
654 Service
656 BackEnd
657 Address 127.0.0.1
658 Port 80
659 End
660 End
661 End
662 To distribute the HTTP/HTTPS requests to three Web servers, where the
664 third one is a newer and faster machine:
665 ListenHTTP
667 Address 123.123.123.123
668 Port 80
669 End
670 ListenHTTPS
671 Address 1.2.3.4
672 Port 443
673 Cert "/etc/pound/server.pem"
674 End
675 Service
677 BackEnd
678 Address 192.168.0.10
679 Port 80
680 End
681 BackEnd
682 Address 192.168.0.11
683 Port 80
684 End
685 BackEnd
686 Address 192.168.0.12
687 Port 80
688 Priority 3
689 End
690 End
691 To separate between image requests and other Web content and send all
693 requests for a specific URL to a secure server:
694 ListenHTTP
696 Address 123.123.123.123
697 Port 80
698 End
699 # Images server(s)
701 Service
702 URL ".*.(jpg|gif)"
703 BackEnd
704 Address 192.168.0.12
705 Port 80
706 End
707 End
708 # redirect all requests for /forbidden
710 Service
711 Url "/forbidden.*"
712 Redirect "https://xyzzy.com"
713 End
714 # Catch-all server(s)
716 Service
717 BackEnd
718 Address 192.168.0.10
719 Port 80
720 End
721 BackEnd
722 Address 192.168.0.11
723 Port 80
724 End
725 Session
726 Type BASIC
727 TTL 300
728 End
729 End
730 Here is a more complex example: assume your static images (GIF/JPEG)
732 are to be served from a single back-end 192.168.0.10. In addition,
733 192.168.0.11 is to do the hosting for www.myserver.com with URL-based
734 sessions, and 192.168.0.20 (a 1GHz PIII) and 192.168.0.21 (800Mhz
735 Duron) are for all other requests (cookie-based sessions). The logging
736 will be done by the back-end servers. The configuration file may look
737 like this:
738 User "nobody"
740 Group "nogroup"
741 RootJail "/var/pound/jail"
742 Alive 60
743 LogLevel 0
744 # Main listening ports
746 ListenHTTP
747 Address 1.2.3.4
748 Port 80
749 Client 10
750 End
751 ListenHTTPS
752 Address 1.2.3.4
753 Port 443
754 Cert "/etc/pound/pound.pem"
755 Client 20
756 End
757 # Image server
759 Service
760 URL ".*.(jpg|gif)"
761 BackEnd
762 Address 192.168.0.10
763 Port 80
764 End
765 End
766 # Virtual host www.myserver.com
768 Service
769 URL ".*sessid=.*"
770 HeadRequire "Host:.*www.myserver.com.*"
771 BackEnd
772 Address 192.168.0.11
773 Port 80
774 End
775 Session
776 Type URL
777 ID "sessid"
778 TTL 120
779 End
780 End
781 # Everybody else
783 Service
784 BackEnd
785 Address 192.168.0.20
786 Port 80
787 Priority 5
788 End
789 BackEnd
790 Address 192.168.0.21
791 Port 80
792 Priority 4
793 End
794 Session
795 Type COOKIE
796 ID "userid"
797 TTL 180
798 End
799 End
800
802 /var/run/pound.nnn
803 this is where Pound will attempt to record its process id.
804 /usr/local/etc/pound.cfg
806 the default configuration file (the location may be changed when
807 compiling - see the F_CONF flag in the Makefile).
808 /usr/local/etc/pound/cert.pem
810 the certificate file(s) for HTTPS. The location must be defined
811 in the configuration file - this is only a suggestion. The file
812 must contain a PEM-encoded certificate, optionally a certificate
813 chain from a known Certificate Authority to your server certifi‐
814 cate and a PEM-encoded private key (not password protected). See
815 OpenSSL(1) for details. This file should be well protected, lest
816 someone gets your server private key.
817
819 Written by Robert Segall, Apsis GmbH.
820
822 Report bugs to <roseg@apsis.ch>.
823
825 Copyright © 2002-2010 Apsis GmbH.
826 This is free software; see the source for copying conditions. There is
827 NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
828 PURPOSE.
829pound Jan 2010 POUND(8)