Date created: Monday, April 8, 2013 2:17:12 PM. Last modified: Monday, August 28, 2023 10:15:55 AM

Pound Proxy


NOTE: Pound version 2.7a brings better support with SSLv3 and options to protect against SSL BEAST attack (by forcing specific SSL encryption schemes). The source was patched with a patch here to allow specifically setting SSL encryption methods. Pound v2.7b has been created now (it at the git-hub link below). It still says version 2.7a though when running "pound -V". This v2.7b repository has the SSL encryption patch for protecting against the BEAST attack built in, and the patch for protecting against the CRIME SSLv2 compression attacks built in, as well as other general bug fixes and features. 

wget --no-check-certificate
sudo apt-get install unzip g++
cd pound-stage_for_upstream-v2.7b/
./configure --with-ssl=/usr/local/ssl/
sudo make install


This config below only specifies an SSL listener. In this example the backend server is This is to use pound only for SSL terminatio. HAProxy is preferred load balancer, but pound has better SSL support. So here the port 80 listening is commented out, HAPRoxy can list on, pound on 443 passing back to HAProxy.

## Global Settings
User "www-data"
Group "www-data"

## 3 = Apache-style (common log format)
LogLevel 3

## check for resurected backend every X secs (default: 30)
Alive 5

# poundctl control socket
Control "/var/run/pound/poundctl.socket"

## default threads: 128
Threads 512

## default TimeOut for back end server response is 15 seconds - This is causing an issue with long queries
TimeOut 60

## default wait for client time out is 10 seconds
Client 30

## Listeners Settings
	Port	443

	# Specify the SSL cert PEM file with cert, key, root CA cert etc
	Cert	"/etc/ssl/certs/"

	# Prevent CRIME attack - Thanks to Pound v2.7b
	# These bits are key to resist the Beast attack - Thanks to Pound v2.7b
	SSLHonorCipherOrder     1
	SSLAllowClientRenegotiation     0
	# A good ciphers list that means we get a good rating on ssllabs

	# accept only standard HTTP requests (GET, POST, HEAD)
	xHTTP		0

			# Address where HAproxy is listening
			Port	80

#	Address
#	Port	80
#	xHTTP		0
#	Service
#		BackEnd
#			Address 
#			Port	80
#		End
#	End