Date created: Monday, April 8, 2013 2:17:12 PM. Last modified: Monday, August 28, 2023 10:15:55 AM
Pound Proxy
Install:
NOTE: Pound version 2.7a brings better support with SSLv3 and options to protect against SSL BEAST attack (by forcing specific SSL encryption schemes). The source was patched with a patch here to allow specifically setting SSL encryption methods. Pound v2.7b has been created now (it at the git-hub link below). It still says version 2.7a though when running "pound -V". This v2.7b repository has the SSL encryption patch for protecting against the BEAST attack built in, and the patch for protecting against the CRIME SSLv2 compression attacks built in, as well as other general bug fixes and features.
wget http://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip --no-check-certificate
sudo apt-get install unzip g++
unzip v2.7b.zip
cd pound-stage_for_upstream-v2.7b/
./configure --with-ssl=/usr/local/ssl/
make
sudo make install
Config:
This config below only specifies an SSL listener. In this example the backend server is 127.0.0.1. This is to use pound only for SSL terminatio. HAProxy is preferred load balancer, but pound has better SSL support. So here the port 80 listening is commented out, HAPRoxy can list on 192.0.2.20:80, pound on 443 passing back to HAProxy.
## Global Settings User "www-data" Group "www-data" ## 3 = Apache-style (common log format) LogLevel 3 ## check for resurected backend every X secs (default: 30) Alive 5 # poundctl control socket Control "/var/run/pound/poundctl.socket" ## default threads: 128 Threads 512 ## default TimeOut for back end server response is 15 seconds - This is causing an issue with long queries TimeOut 60 ## default wait for client time out is 10 seconds Client 30 ## Listeners Settings ListenHTTPS Address 192.0.2.20 Port 443 # Specify the SSL cert PEM file with cert, key, root CA cert etc Cert "/etc/ssl/certs/www.my-site.com.pem" # Prevent CRIME attack - Thanks to Pound v2.7b DisableSSLv2 # These bits are key to resist the Beast attack - Thanks to Pound v2.7b SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 # A good ciphers list that means we get a good rating on ssllabs Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" # accept only standard HTTP requests (GET, POST, HEAD) xHTTP 0 Service BackEnd # Address where HAproxy is listening Address 127.0.0.1 Port 80 End End End #ListenHTTP # Address 192.0.2.20 # Port 80 # xHTTP 0 # Service # BackEnd # Address 127.0.0.1 # Port 80 # End # End #End
Previous page: Pi-hole
Next page: Prometheus + InfluxDB + Grafana (Docker on ARM64)