1POUND(8) System Manager's Manual POUND(8)
2
6 pound - HTTP/HTTPS reverse-proxy and load-balancer
7
9 pound [-v] [-c] [-V] [-f config_file] [-p pid_file]
10
12 Pound is a reverse-proxy load balancing server. It accepts requests
13 from HTTP/HTTPS clients and distributes them to one or more Web
14 servers. The HTTPS requests are decrypted and passed to the back-ends
15 as plain HTTP.
16 If more than one back-end server is defined, Pound chooses one of them
18 randomly, based on defined priorities. By default, Pound keeps track of
19 associations between clients and back-end servers (sessions).
20
22 In general Pound needs three types of objects defined in order to func‐
23 tion: listeners, services and back-ends.
24 Listeners
26 A listener is a definition of how Pound receives requests from
27 the clients (browsers). Two types of listeners may be defined:
28 regular HTTP listeners and HTTPS (HTTP over SSL/TLS) listeners.
29 At the very least a listener must define the address and port to
30 listen on, with additional requirements for HTTPS listeners.
31 Services
33 A service is the definition of how the requests are answered.
34 The services may be defined within a listener or at the top
35 level (global). When a request is received Pound attempts to
36 match them to each service in turn, starting with the services
37 defined in the listener itself and, if needed, continuing with
38 the services defined at the global level. The services may
39 define their own conditions as to which requests they can
40 answer: typically this involves certain URLs (images only, or a
41 certain path) or specific headers (such as the Host header). A
42 service may also define a session mechanism: if defined future
43 requests from a given client will always be answered by the same
44 back-end.
45 Back-ends
47 The back-ends are the actual servers for the content requested.
48 By itself, Pound supplies no responses - all contents must be
49 received from a "real" web server. The back-end defines how the
50 server should be contacted.
51 Three types of back-ends may be defined: a "regular" back-end
53 which receives requests and returns responses, a "redirect"
54 back-end in which case Pound will respond with a redirect
55 response, without accessing any back-end at all, or an "emer‐
56 gency" back-end which will be used only if all other backends
57 are "dead".
58 Multiple back-ends may be defined within a service, in which
60 case Pound will load-balance between the available back-ends.
61 If a back-end fails to respond it will be considered "dead", in
63 which case Pound will stop sending requests to it. Dead back-
64 ends are periodically checked for availability, and once they
65 respond again they are "resurected" and requests are sent again
66 their way. If no back-ends are available (none were defined, or
67 all are "dead") then Pound will reply with "503 Service Unavail‐
68 able", without checking additional services.
69 The connection between Pound and the back-ends is always via
71 HTTP, regardless of the actual protocol used between Pound and
72 the client.
73
75 Options available (see also below for configuration file options):
76 -v Verbose mode: error messages will be sent to stdout even if
78 Pound was configured to log to syslog. This applies only to
79 startup messages, before Pound puts itself in the background.
80 Normal operational messages will still go to syslog.
81 -V Print version: Pound will exit immediately after printing the
83 current version and configuration flags.
84 -c Check only: Pound will exit immediately after parsing the con‐
86 figuration file. This may be used for running a quick syntax
87 check before actually activating a server.
88 -f config_file
90 Location of the configuration file (see below for a full
91 description of the format). Default: /usr/local/etc/pound.cfg
92 -p pid_file
94 Location of the pid file. Pound will write its own pid into
95 this file. Normally this is used for shell scripts that control
96 starting and stopping of the daemon. Default:
97 /var/run/pound.pid
98 In general, any number of back-end servers may be specified. Use the
100 priority to affect the load distribution among unequal-performance
101 servers.
102 One (or more) copies of Pound should be started at boot time. Use "big
104 iron" if you expect heavy loads: while Pound is as light-weight as I
105 know how to make it, with a lot of simultaneous requests it will use
106 quite a bit of CPU and memory. Multiple CPUs are your friend.
107
109 Each line in the file is considered a complete configuration directive.
110 The directives are case-insensitive. Empty lines or lines starting in
111 '#' are ignored. There are three types of directives: global directives
112 (they affect the settings for the entire program instance), listener
113 directives (they define which requests Pound will listen for), and ser‐
114 vice directives (they affect only a specific group of requests).
115
117 Global directives may appear anywhere within the configuration file,
118 though it is customary for them to be at the start. They may appear in
119 any order.
120 User "user_name"
122 Specify the user Pound will run as (must be defined in
123 /etc/passwd).
124 Group "group_name"
126 Specify the group Pound will run as (must be defined in
127 /etc/group).
128 RootJail "directory_path_and_name"
130 Specify the directory that Pound will chroot to at runtime.
131 Please note that OpenSSL requires access to /dev/urandom, so
132 make sure you create a device by that name, accessible from the
133 root jail directory. Pound may also require access to /dev/sys‐
134 log or similar.
135 Daemon 0|1
137 Have Pound run in the foreground (if 0) or as a daemon (if 1).
138 By default Pound runs as a daemon (detaches itself from the con‐
139 trolling terminal and puts itself in the background). By speci‐
140 fying this option you can force Pound to work like a regular
141 process. Useful for debugging or if you want to use something
142 like daemontools.
143 LogFacility value
145 Specify the log facility to use. value (default: daemon) must
146 be one of the symbolic facility names defined in syslog.h. This
147 facility shall be used for logging. Using a - for the facility
148 name causes Pound to log to stdout/stderr.
149 LogLevel value
151 Specify the logging level: 0 for no logging, 1 (default) for
152 regular logging, 2 for extended logging (show chosen backend
153 server as well), 3 for Apache-like format (Combined Log Format
154 with Virtual Host), 4 (same as 3 but without the virtual host
155 information) and 5 (same as 4 but with information about the
156 Service and BackEnd used). This value can be overridden for
157 specific listeners.
158 DynScale 0|1
160 Enable or disable the dynamic rescaling code (default: 0). If
161 enabled Pound will periodically try to modify the back-end pri‐
162 orities in order to equalise the response times from the various
163 back-ends. This value can be overridden for specific services.
164 Alive value
166 Specify how often Pound will check for resurected back-end hosts
167 (default: 30 seconds). In general, it is a good idea to set this
168 as low as possible - it will find resurected hosts faster. How‐
169 ever, if you set it too low it will consume resources - so
170 beware.
171 Client value
173 Specify for how long Pound will wait for a client request
174 (default: 10 seconds). After this long has passed without the
175 client sending any data Pound will close the connection. Set it
176 higher if your clients time-out on a slow network or over-loaded
177 server, lower if you start getting DOS attacks or run into prob‐
178 lems with IE clients. This value can be overridden for specific
179 listeners.
180 TimeOut value
182 How long should Pound wait for a response from the back-end (in
183 seconds). Default: 15 seconds. This value can be overridden for
184 specific back-ends.
185 Grace value
187 How long should Pound continue to answer existing connections
188 after a receiving and INT or HUP signal (default: 30 seconds).
189 The configured listeners are closed immediately. You can bypass
190 this behaviour by stopping Pound with a TERM or QUIT signal, in
191 which case the program exits without any delay.
192 SSLEngine "name"
194 Use an OpenSSL hardware acceleration card called name. Available
195 only if OpenSSL-engine is installed on your system.
196 Control "/path/to/socket"
198 Set the control socket path. If not defined Pound does not lis‐
199 ten for any commands. The commands may be issued by using the
200 poundctl(8) program.
201
203 An HTTP listener defines an address and port that Pound will listen on
204 for HTTP requests. All configuration directives enclosed between Lis‐
205 tenHTTP and End are specific to a single HTTP listener. At the very
206 least you must specify and address and a port for each listener. The
207 following directives are available:
208 Address address
210 The address that Pound will listen on. This can be a numeric IP
211 address, or a symbolic host name that must be resolvable at run-
212 time. This is a mandatory parameter. The address 0.0.0.0 may be
213 used as an alias for 'all available addresses on this machine',
214 but this practice is strongly discouraged, as it will interfere
215 with the rewriting mechanisms (see below).
216 Port port
218 The port number that Pound will listen on. This is a mandatory
219 parameter.
220 xHTTP value
222 Defines which HTTP verbs are accepted. The possible values are:
223 0 (default) accept only standard HTTP requests (GET, POST,
225 HEAD).
226 1 additionally allow extended HTTP requests (PUT, DELETE).
228 2 additionally allow standard WebDAV verbs (LOCK, UNLOCK,
230 PROPFIND, PROPPATCH, SEARCH, MKCOL, MOVE, COPY, OPTIONS, TRACE,
231 MKACTIVITY, CHECKOUT, MERGE, REPORT).
232 3 additionally allow MS extensions WebDAV verbs (SUBSCRIBE,
234 BPROPPATCH, POLL, BMOVE, BCOPY, BDELETE, CONNECT).
235 4 additionally allow MS RPC extensions verbs (RPC_IN_DATA,
237 RPC_OUT_DATA).
238 Client value
240 Override the global Client time-out value.
241 CheckURL "pattern to match"
243 Define a pattern that must be matched by each request sent to
244 this listener. A request that does not match is considered to be
245 illegal. By default Pound accepts all requests (i.e. the pat‐
246 tern is ".*"), but you are free to limit it to something more
247 reasonable. Please note that this applies only to the request
248 path - Pound will still check that the request is syntactically
249 correct.
250 Err414 "filename"
252 A file with the text to be displayed if an Error 414 occurs.
253 Default: "Request URI is too long.".
254 Err500 "filename"
256 A file with the text to be displayed if an Error 500 occurs.
257 Default: "An internal server error occurred. Please try again
258 later.".
259 Err501 "filename"
261 A file with the text to be displayed if an Error 501 occurs.
262 Default: "This method may not be used.".
263 Err503 "filename"
265 A file with the text to be displayed if an Error 503 occurs.
266 Default: "The service is not available. Please try again
267 later.".
268 MaxRequest nnn
270 Request maximal size. All requests will be limited to these many
271 bytes. If a request contains more data than allowed an error 414
272 is returned. Default: unlimited.
273 HeadRemove "header pattern"
275 Remove certain headers from the incoming requests. All
276 occurences of the matching specified header will be removed.
277 Please note that this filtering is done prior to other checks
278 (such as HeadRequire or HeadDeny), so you should not try to
279 check for these headers in later matches. Multiple directives
280 may be specified in order to remove more than one header, and
281 the header itself may be a regular pattern (though this should
282 be used with caution).
283 RewriteLocation 0|1|2
285 If 1 force Pound to change the Location: and Content-location:
286 headers in responses. If they point to the back-end itself or to
287 the listener (but with the wrong protocol) the response will be
288 changed to show the virtual host in the request. Default: 1
289 (active). If the value is set to 2 only the back-end address is
290 compared; this is useful for redirecting a request to an HTTPS
291 listener on the same server as the HTTP listener.
292 RewriteDestination 0|1
294 If 1 force Pound to change the Destination: header in requests.
295 The header is changed to point to the back-end itself with the
296 correct protocol. Default: 0.
297 LogLevel value
299 Override the global LogLevel value.
300 Service [ "name" ]
302 This defines a private service (see below for service definition
303 syntax). This service will be used only by this listener. The
304 service may be optionally named, with the name showing in the
305 poundctl listings.
306
308 An HTTPS listener defines an address and port that Pound will listen on
309 for HTTPS requests. All configuration directives enclosed between Lis‐
310 tenHTTPS and End are specific to a single HTTPS listener. At the very
311 least you must specify and address, a port and a server certificate for
312 each listener. All directives defined for HTTP listeners are applicable
313 to HTTPS listeners as well. The following additional directives are
314 also available:
315 Cert "certificate file"
317 Specify the server certificate. The certificate file is the file
318 containing the certificate, possibly a certificate chain and the
319 signature for this server. This directive is mandatory for HTTPS
320 listeners.
321 ClientCert 0|1|2|3 depth
323 Ask for the client's HTTPS certificate: 0 - don't ask (default),
324 1 - ask, 2 - ask and fail if no certificate was presented, 3 -
325 ask but do not verify. depth is the depth of verification for a
326 client certificate (up to 9).
327 AddHeader "header: to add"
329 Add the defined header to the request passed to the back-end
330 server. The header is added verbatim.
331 Ciphers "acceptable:cipher:list"
333 This is the list of ciphers that will be accepted by the SSL
334 connection; it is a string in the same format as in OpenSSL
335 ciphers(1) and SSL_CTX_set_cipher_list(3).
336 CAlist "CAcert_file"
338 Set the list of "trusted" CA's for this server. The CAcert_file
339 is a file containing a sequence of CA certificates (PEM format).
340 The names of the defined CA certificates will be sent to the
341 client on connection.
342 VerifyList "Verify_file"
344 Set the CA (Certificate Authority). The Verify_file is a file
345 that contains the CA root certificates (in PEM format).
346 Please note: there is an important difference between the CAlist
348 and the VerifyList. The CAlist tells the client (browser) which
349 client certificates it should send. The VerifyList defines which
350 CAs are actually used for the verification of the returned cer‐
351 tificate.
352 CRLlist "CRL_file"
354 Set the CRL (Certificate Revocation List) file. The CRL_file is
355 a file that contains the CRLs (in PEM format).
356 NoHTTPS11 0|1|2
358 Behave like an HTTP/1.0 server for HTTPS clients. If this value
359 is 0 disable the check. If the value is 1 do not allow multiple
360 requests on SSL connections. If the value is 2 (default) disable
361 multiple requests on SSL connections only for MSIE clients.
362 Required work-around for a bug in certain versions of IE.
363
365 A service is a definition of which back-end servers Pound will use to
366 reply to incoming requests. A service may be defined as part of a lis‐
367 tener (in which case it will be used only by that listener), or glob‐
368 ally (which makes it available to all listeners). Pound will always
369 try the private services in the order defined, followed by the global
370 ones.
371 All configuration directives enclosed between Service and End are spe‐
373 cific to a single service. The following directives are available:
374 URL "pattern"
376 Match the incoming request. If a request fails to match than
377 this service will be skipped and next one tried. If all services
378 fail to match Pound returns an error. You may define multiple
379 URL conditions per service. If no URL was defined then all
380 requests match.
381 HeadRequire "pattern"
383 The request must contain at least on header matching the given
384 pattern. Multiple HeadRequire directives may be defined per
385 service, in which case all of them must be satisfied.
386 HeadDeny "pattern"
388 The request may not contain any header matching the given pat‐
389 tern. Multiple HeadDeny directives may be defined per service,
390 in which case all of them must be satisfied.
391 Please note: if the listener defined a HeadRemove directive, the
393 matching headers are removed before the service matching is
394 attempted.
395 DynScale 0|1
397 Enable or disable dynamic rescaling for the current service.
398 This value will override the value globally defined.
399 BackEnd
401 Directives enclosed between a BackEnd and the following End
402 directives define a single back-end server (see below for
403 details). You may define multiple back-ends per service, in
404 which case Pound will attempt to load-balance between them.
405 Redirect "url"
407 This is a special type of back-end. Instead of sending the
408 request to a back-end Pound replies immediately with a redirect‐
409 ion to the given URL. You may define multiple redirectors in a
410 service, as well as mixing them with regular back-ends.
411 The address the client is redirected to is determined by the
413 actual url you specify: if it is a "pure" host (i.e. with no
414 path) then the client will be redirected to the host you speci‐
415 fied, with the original request path appended. If your url does
416 contain a path then the request path is ignored.
417 Examples: if you specified
419 Redirect "http://abc.example"
421 and the client requested http://xyz/a/b/c then it will be redi‐
423 rected to http://abc.example/a/b/c, but if you specified
424 Redirect "http://abc.example/index.html"
426 it will be sent to http://abc.example/index.html.
428 Technical note: in an ideal world Pound should reply with a "307
430 Temporary Redirect" status. Unfortunately, that is not yet sup‐
431 ported by all clients (in particular HTTP 1.0 ones), so Pound
432 currently replies with a "302 Found" instead.
433 Emergency
435 Directives enclosed between an Emergency and the following End
436 directives define an emergency back-end server (see below for
437 details). You may define only one emergency server per service,
438 which Pound will attempt to use if all backends are down.
439 Session
441 Directives enclosed between a Session and the following End
442 directives define a session-tracking mechanism for the current
443 service. See below for details.
444
446 A back-end is a definition of a single back-end server Pound will use
447 to reply to incoming requests. All configuration directives enclosed
448 between BackEnd and End are specific to a single service. The following
449 directives are available:
450 Address address
452 The address that Pound will connect to. This can be a numeric IP
453 address, or a symbolic host name that must be resolvable at run-
454 time. If the name cannot be resolved to a valid address, Pound
455 will assume that it represents the path for a Unix-domain
456 socket. This is a mandatory parameter.
457 Port port
459 The port number that Pound will connect to. This is a mandatory
460 parameter for non Unix-domain back-ends.
461 Priority val
463 The priority of this back-end (between 1 and 9, 5 is default).
464 Higher priority back-ends will be used more often than lower
465 priority ones, so you should define higher priorities for more
466 capable servers.
467 TimeOut val
469 Override the global TimeOut value.
470 HAport [ address ] port
472 A port (and optional address) to be used for server function
473 checks. See below the "High Availability" section for a more
474 detailed discussion. By default Pound uses the same address as
475 the back-end server, but you may use a separate address if you
476 wish. This directive applies only to non Unix-domain servers.
477
479 The emergency server will be used once all existing back-ends are
480 "dead". All configuration directives enclosed between Emergency and
481 End are specific to a single service. The following directives are
482 available:
483 Address address
485 The address that Pound will connect to. This can be a numeric IP
486 address, or a symbolic host name that must be resolvable at run-
487 time. If the name cannot be resolved to a valid address, Pound
488 will assume that it represents the path for a Unix-domain
489 socket. This is a mandatory parameter.
490 Port port
492 The port number that Pound will connect to. This is a mandatory
493 parameter for non Unix-domain back-ends.
494
496 Defines how a service deals with possible HTTP sessions. All configu‐
497 ration directives enclosed between Session and End are specific to a
498 single service. Once a sessions is identified, Pound will attempt to
499 send all requests within that session to the same back-end server.
500 The following directives are available:
502 Type IP|BASIC|PARM|COOKIE|HEADER
504 What kind of sessions are we looking for: IP (the client
505 address), BASIC (basic authentication), PARM (a request parame‐
506 ter), COOKIE (a certain cookie), or HEADER (a certain request
507 header). This is a mandatory parameter.
508 TTL seconds
510 How long can a session be idle (in seconds). A session that has
511 been idle for longer than the specified number of seconds will
512 be discarded. This is a mandatory parameter.
513 ID "name"
515 The session identifier. This directive is permitted only for
516 sessions of type PARM (the name of the parameter we need to
517 track), COOKIE (the name of the cookie) and HEADER (the header
518 name).
519 See below for some examples.
521
523 Pound attempts to keep track of active back-end servers, and will tem‐
524 porarily disable servers that do not respond (though not necessarily
525 dead: an overloaded server that Pound cannot establish a connection to
526 will be considered dead). However, every Alive seconds, an attempt is
527 made to connect to the dead servers in case they have become active
528 again. If this attempt succeeds, connections will be initiated to them
529 again.
530 In general it is a good idea to set this time interval as low as is
532 consistent with your resources in order to benefit from resurected
533 servers at the earliest possible time. The default value of 30 seconds
534 is probably a good choice.
535 The clients that happen upon a dead backend server will just receive a
537 503 Service Unavailable message.
538 The HAport parameter specifies an additional port (and optionally an
540 address) that is used only for viability checks: if this port is speci‐
541 fied in a BackEnd directive, Pound will attempt periodically (every
542 Alive seconds) to connect to this port. If the port does not respond
543 the server is considered dead. It never makes sense to have the HAport
544 identical to the main back-end port: this would only generate extra,
545 unncecessary activity (CPU, network traffic) for no good reason whatso‐
546 ever. The HAport is meant for applications that offer an additional
547 health monitoring port or for installations that wish to take servers
548 off-line in a controlled manner.
549 By default the address of the HAport health monitor is the same as that
551 of the back-end server. You may specify a different address though, for
552 example if you have a monitoring program running on another host.
553
555 If a client browser connects to Pound via HTTPS and if it presents a
556 client certificate Pound adds the following headers to the request it
557 issues to the server:
558 X-SSL-Subject
560 Details about the certificate owner.
561 X-SSL-Issuer
563 Details about the certificate issuer (Certificate Authority).
564 X-SSL-notBefore
566 Starting date of certificate validity.
567 X-SSL-notAfter
569 Ending date of certificate validity.
570 X-SSL-serial
572 Certificate serial number (decimal).
573 X-SSL-cipher
575 The cipher currently in use.
576 X-SSL-certificate
578 The full client certificate (PEM-format multi-line)
579 It is the application's responsibility to actually use these headers -
581 Pound just passes this information without checking it in any way
582 (except for signature and encryption correctness).
583
585 In general, Pound does not read or write to the hard-disk. The excep‐
586 tions are reading the configuration file and (possibly) the server cer‐
587 tificate file(s) and error message(s), which are opened read-only on
588 startup, read, and closed, and the pid file which is opened on start-
589 up, written to and immediately closed. Following this there is no disk
590 access whatsoever, so using a RootJail directive is only for extra
591 security bonus points.
592 Pound tries to sanitise all HTTP/HTTPS requests: the request itself,
594 the headers and the contents are checked for conformance to the RFC's
595 and only valid requests are passed to the back-end servers. This is not
596 absolutely fool-proof - as the recent Apache problem with chunked
597 transfers demonstrated. However, given the current standards, this is
598 the best that can be done - HTTP is an inherently weak protocol.
599
601 Pound uses the system log for messages (default facility LOG_DAEMON).
602 The format is very similar to other web servers, so that if you want to
603 use a log tool:
604 fgrep pound /var/log/messages | your_log_tool
606 Translating HTTPS to HTTP is an iffy proposition: no client information
608 is passed to the server itself (certificates, etc) and the backend
609 server may be misled if it uses absolute URLs. A patch for Zope is
610 included in the distribution to address this issue - for other Web
611 servers you are on your own. May the source be with you.
612 Pound deals with (and sanitizes) HTTP/1.1 requests. Thus even if you
614 have an HTTP/1.0 server, a single connection to an HTTP/1.1 client is
615 kept, while the connection to the back-end server is re-opened as nec‐
616 essary.
617 Pound attempts to resolve the names of the hosts that appear in various
619 requests and/or responses. That means it need a functioning resolver
620 of some kind (be it /etc/hosts, DNS or something else).
621
623 To translate HTTPS requests to a local HTTP server (assuming your net‐
624 work address is 123.123.123.123):
625 ListenHTTPS
627 Address 1.2.3.4
628 Port 443
629 Cert "/etc/pound/server.pem"
630 Service
632 BackEnd
633 Address 127.0.0.1
634 Port 80
635 End
636 End
637 End
638 To distribute the HTTP/HTTPS requests to three Web servers, where the
640 third one is a newer and faster machine:
641 ListenHTTP
643 Address 123.123.123.123
644 Port 80
645 End
646 ListenHTTPS
647 Address 1.2.3.4
648 Port 443
649 Cert "/etc/pound/server.pem"
650 End
651 Service
653 BackEnd
654 Address 192.168.0.10
655 Port 80
656 End
657 BackEnd
658 Address 192.168.0.11
659 Port 80
660 End
661 BackEnd
662 Address 192.168.0.12
663 Port 80
664 Priority 3
665 End
666 End
667 To separate between image requests and other Web content and send all
669 requests for a specific URL to a secure server:
670 ListenHTTP
672 Address 123.123.123.123
673 Port 80
674 End
675 # Images server(s)
677 Service
678 URL ".*.(jpg|gif)"
679 BackEnd
680 Address 192.168.0.12
681 Port 80
682 End
683 End
684 # redirect all requests for /forbidden
686 Service
687 Url "/forbidden.*"
688 Redirect "https://xyzzy.com"
689 End
690 # Catch-all server(s)
692 Service
693 BackEnd
694 Address 192.168.0.10
695 Port 80
696 End
697 BackEnd
698 Address 192.168.0.11
699 Port 80
700 End
701 Session
702 Type BASIC
703 TTL 300
704 End
705 End
706 Here is a more complex example: assume your static images (GIF/JPEG)
708 are to be served from a single back-end 192.168.0.10. In addition,
709 192.168.0.11 is to do the hosting for www.myserver.com with URL-based
710 sessions, and 192.168.0.20 (a 1GHz PIII) and 192.168.0.21 (800Mhz
711 Duron) are for all other requests (cookie-based sessions). The logging
712 will be done by the back-end servers. The configuration file may look
713 like this:
714 User "nobody"
716 Group "nogroup"
717 RootJail "/var/pound/jail"
718 Alive 60
719 LogLevel 0
720 # Main listening ports
722 ListenHTTP
723 Address 1.2.3.4
724 Port 80
725 Client 10
726 End
727 ListenHTTPS
728 Address 1.2.3.4
729 Port 443
730 Cert "/etc/pound/pound.pem"
731 Client 20
732 End
733 # Image server
735 Service
736 URL ".*.(jpg|gif)"
737 BackEnd
738 Address 192.168.0.10
739 Port 80
740 End
741 End
742 # Virtual host www.myserver.com
744 Service
745 URL ".*sessid=.*"
746 HeadRequire "Host:.*www.myserver.com.*"
747 BackEnd
748 Address 192.168.0.11
749 Port 80
750 End
751 Session
752 Type PARM
753 ID "sessid"
754 TTL 120
755 End
756 End
757 # Everybody else
759 Service
760 BackEnd
761 Address 192.168.0.20
762 Port 80
763 Priority 5
764 End
765 BackEnd
766 Address 192.168.0.21
767 Port 80
768 Priority 4
769 End
770 Session
771 Type COOKIE
772 ID "userid"
773 TTL 180
774 End
775 End
776
778 /var/run/pound.nnn
779 this is where Pound will attempt to record its process id.
780 /usr/local/etc/pound.cfg
782 the default configuration file (the location may be changed when
783 compiling - see the F_CONF flag in the Makefile).
784 /usr/local/etc/pound/cert.pem
786 the certificate file(s) for HTTPS. The location must be defined
787 in the configuration file - this is only a suggestion. The file
788 must contain a PEM-encoded certificate, optionally a certificate
789 chain from a known Certificate Authority to your server certifi‐
790 cate and a PEM-encoded private key (not password protected). See
791 OpenSSL(1) for details. This file should be well protected, lest
792 someone gets your server private key.
793
795 Written by Robert Segall, Apsis GmbH.
796
798 Report bugs to <roseg@apsis.ch>.
799
801 Copyright © 2002-2006 Apsis GmbH.
802 This is free software; see the source for copying conditions. There is
803 NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
804 PURPOSE.
805pound May 2002 POUND(8)