Date created: Monday, April 8, 2013 2:17:12 PM. Last modified: Monday, August 28, 2023 10:15:55 AM

Pound Proxy

Install:

NOTE: Pound version 2.7a brings better support with SSLv3 and options to protect against SSL BEAST attack (by forcing specific SSL encryption schemes). The source was patched with a patch here to allow specifically setting SSL encryption methods. Pound v2.7b has been created now (it at the git-hub link below). It still says version 2.7a though when running "pound -V". This v2.7b repository has the SSL encryption patch for protecting against the BEAST attack built in, and the patch for protecting against the CRIME SSLv2 compression attacks built in, as well as other general bug fixes and features. 

wget http://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip --no-check-certificate
sudo apt-get install unzip g++
unzip v2.7b.zip
cd pound-stage_for_upstream-v2.7b/
./configure --with-ssl=/usr/local/ssl/
make
sudo make install

Config

This config below only specifies an SSL listener. In this example the backend server is 127.0.0.1. This is to use pound only for SSL terminatio. HAProxy is preferred load balancer, but pound has better SSL support. So here the port 80 listening is commented out, HAPRoxy can list on 192.0.2.20:80, pound on 443 passing back to HAProxy.

## Global Settings
User "www-data"
Group "www-data"

## 3 = Apache-style (common log format)
LogLevel 3

## check for resurected backend every X secs (default: 30)
Alive 5

# poundctl control socket
Control "/var/run/pound/poundctl.socket"

## default threads: 128
Threads 512

## default TimeOut for back end server response is 15 seconds - This is causing an issue with long queries
TimeOut 60

## default wait for client time out is 10 seconds
Client 30

## Listeners Settings
ListenHTTPS
	Address 192.0.2.20
	Port	443

	# Specify the SSL cert PEM file with cert, key, root CA cert etc
	Cert	"/etc/ssl/certs/www.my-site.com.pem"

	# Prevent CRIME attack - Thanks to Pound v2.7b
	DisableSSLv2
	# These bits are key to resist the Beast attack - Thanks to Pound v2.7b
	SSLHonorCipherOrder     1
	SSLAllowClientRenegotiation     0
	# A good ciphers list that means we get a good rating on ssllabs
 	Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

	# accept only standard HTTP requests (GET, POST, HEAD)
	xHTTP		0

	Service
		BackEnd
			# Address where HAproxy is listening
			Address	127.0.0.1 
			Port	80
		End
	End
End

#ListenHTTP
#	Address 192.0.2.20
#	Port	80
#	xHTTP		0
#	Service
#		BackEnd
#			Address	127.0.0.1 
#			Port	80
#		End
#	End
#End

^ Top

Previous page: Pi-hole
Next page: Prometheus + InfluxDB + Grafana (Docker on ARM64)