Pound is a great little load balancer, it’s fast, opensource and supports SSL termination, which is great!
sudo apt-get install pound
The default configuration should be pretty good for most purposes, but feel free to tweak as you require.
We’ll first look at load balancing HTTP, in case you don’t want or need HTTPS load balancing.
We’ll need delete all the content within ListenHTTP block, once done it should look like this
Now we add an address and port to listen on and finally a line to remove an HTTP header
ListenHTTP Address 0.0.0.0 # all interfaces Port 80 HeadRemove "X-Forwarded-For" End
This is a basic configuration, for each backend we want to load balance we’ll need to add a service within that listener.
You’ll notice we’re removing incoming headers called X-Forwarded-For, this is to make sure someone doesn’t try to craft them in to a request and abuse them.
ListenHTTP Address 0.0.0.0 # all interfaces Port 80 HeadRemove "X-Forwarded-For" Service BackEnd Address 10.0.0.1 Port 80 Priority 1 End BackEnd Address 10.0.0.2 Port 80 Priority 1 End End End
Here I’ve added 2 BackEnds that connect to port 80, it’s all pretty simple. Add as many as you want/need.
Pound will pass correct HTTP headers through to the backends so you configure those just like you normally would.
HTTPS is basically exactly the same as HTTP except for one fantastic option - SSL termination! Which means we can do the SSL decryption within Pound and talk to our backend servers over standard unencrypted HTTP - this should only be done on a private network.
So, we’ll create an HTTPS listened like the one above but with extra options.
ListenHTTPS Address 0.0.0.0 # all interfaces Port 443 AddHeader "X-Forwarded-Proto: https" HeadRemove "X-Forwarded-Proto" HeadRemove "X-Forwarded-For" Cert "/path/to/certificate.pem Service BackEnd Address 10.0.0.1 Port 80 Priority 1 End BackEnd Address 10.0.0.2 Port 80 Priority 1 End End End
You’ll notice a few changes here, first we tell the HTTPS listener to listen on port 443 - SSL port.
We add a header to pass back to our backend servers called X-Forwarded-Proto, this is so that on our backend we can inspect this header and use it if required to know we’re secure.
We also remove incoming headers called X-Forwarded-Proto and X-Forwarded-For, this is to make sure someone doesn’t try to craft them in to a request and abuse them.
Finally is the certificate which needs to be a PEM file with all certificates and keys within it and without passphrases.
Once configured, reload Pound.
sudo /etc/init.d/pound reload
That really was simple.