linux poison RSS
linux poison Email

Load balancing the Webserver (http/https traffic) using Pound on Linux

The Pound program is a reverse proxy, load balancer and HTTPS front-end for Web server. Pound was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively.

WHAT POUND IS:
  * A reverse-proxy: it passes requests from client browsers to one or more back-end servers.
  * A load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
  * An SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
  * An HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
  * A fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
  * A request redirector: requests may be distributed among servers according to the requested URL.

Pound is a very small program, easily audited for security problems. It can run as setuid/setgid and/or in a chroot jail. Pound does not access the hard-disk at all (except for reading the certificate file on start, if required) and should thus pose no security threat to any machine.

Installation:
OpenSuSe user can install pound using "1-click" installer - here

Others - Download and unpack the source tarball, installation is the standard ./configure&&make&&make install. (If you plan on utilizing Pound's SSL support, specify ./configure ––with-ssl.

Look for the pound executable in /usr/local/sbin and look for the configuration file, pound.cfg, in /usr/local/etc.

Next, configure Pound. Here's a simple pound.cfg file:
ListenHTTP
Address 1.2.3.4
Port 80
Service
  Backend
    Address 192.168.0.1
    Port 80
  End
  Backend
    Address 192.168.0.2
    Port 80
  End
End
This instructs Pound to listen on the public IP address 1.2.3.4 and pass requests evenly to the two backend machines named with Service. If the machines have significantly different resources available to them, you can alter the odds of a server being chosen with the Priority directive. Values may be 1 through 9, where the value 9 means use most often, and the value 1 means least frequent. Pound balances servers dynamically: if a server goes down, Pound automatically removes the system from the pool of available servers.

Many web applications use sessions and Pound can track sessions between a client browser and the host backend server. Pound supports five techniques: client IP address, basic authentication, URL parameter, cookie value, and header value. Only one session definition is allowed per Service.

For example, to use client IP-based tracking that keeps sessions active for ten minutes, add the following to your Pound config file:
Session
  Type IP
  TTL 600
End
To harden Pound, run the daemon as a non-privileged user. To do this, use the User and Group directives to specify the user and group, respectively:
User    "nobody"
Group   "nobody"
Keep in mind that after adding Pound into your network setup, your backend servers will log the IP address of your Pound machine instead of the client IP of the person browsing your site. As a general rule, Pound passes all headers as set by the client to the backend servers, with two exceptions: Pound adds a X-Forwarded-For header, and may add information about the SSL certificate.

You can use the X-Forwarded-for header to update your logging mechanism to record the correct information.

For example, If you're using Apache combined logging, replace the letter h (remote host) with:
\"%{X-Forwarded-for}i\"


0 comments:

Post a Comment

Related Posts with Thumbnails