hladam jednoduchy http proxy s "mapou"
Jaroslav Lukesh
lukesh na k-net.cz
Pondělí Říjen 14 12:21:59 CEST 2002
| Odesílatel: Peter Surda <shurdeek na panorama.sth.ac.at>
| Hladam jednoduchy http proxy, ktory by vedel nasledovne:
| - bezal by povedzme na volne pristupnej adrese 1.2.3.4
| - v konfiguraku by mal "mapu"
| - dosiel by request, v tom by sa naslo "Host: blablabla" a podla mapy by
| zistil, kam to ma inde poslat.
| - nechcem, aby posielal naspat "Reload: http://nieco-ine", ale aby to
proxynul
| - nemusi vediet ziadny caching ani menit obsah ("Host: blablabla" podla
tej
| mapy vobec nemusi menit, staci ked to vie posielat na rozne pocitace).
| - "blablabla" je normalny CNAME a ukazuje v konecnom dosledku na 1.2.3.4
| - ten, kto posiela request, predpoklada, ze hovori s webservrom a nie je
mozne
| ho rekonfigurovat. Ked nevie poslat "Host: whatever" tak ma smolu, toto
| osetrit netreba.
| - ten, kto skutocnu stranku hostuje, pochopitelne vsetky connections
uvidi z
| 1.2.3.4 resp. podla situacie (routing/NAT/whatever)
pound - ale url uz nevim.
Zdravi JL.
POUND(8) System Manager's Manual POUND(8)
NAME
pound - HTTP/HTTPS reverse-proxy and load-balancer
SYNOPSIS
pound [-f config_file]
DESCRIPTION
Pound is a reverse-proxy load balancing server. It accepts
requests from HTTP/HTTPS clients and distributes them to
one or more Web servers. The HTTPS requests are decrypted
and passed to the back-ends as plain HTTP.
If more than one back-end server is defined, Pound chooses
one of them randomly, based on defined priorities. By
default, Pound keeps track of associations between clients
and back-end servers (sessions).
OPTIONS
Options available (see also below for configuration file
options):
-f config_file
Location of the configuration file (see below for a
full description of the format). Default:
/etc/pound/pound.cfg
In general, any number of back-end servers may be speci-
fied. Use the priority to affect the load distribution
among unequal-performance servers.
One (or more) copies of Pound should be started at boot
time. Use "big iron" if you expect heavy loads: while
Pound is as light-weight as I know how to make it, with a
lot of simultaneous requests it will use quite a bit of
CPU and memory. Multiple CPUs are your friend.
CONFIGURATION FILE
Each line in the file is considered a complete configura-
tion directive. The directives are case-insensitive. Empty
lines or lines starting in '#' are ignored.
Here is the directive syntax:
ListenHTTP host,port
Specify the address and port number where Pound
will listen for HTTP requests. Multiple directives
imply listening on multiple ports.
ListenHTTPS host,port cert_file
Specify the address and port number where Pound
will listen for HTTPS requests. cert_file is the
file containing the certificate (and signature) for
this port; the same file may be specified for mul-
tiple ports (as above - multiple directives imply
listening on multiple ports). Both ListenHTTP and
ListenHTTPS may be specified as may times as
required.
HTTPSHeaders value
if value is 1, add HTTPS-specific headers. By
default, Pound passes requests unchanged to the
back-end server(s).
User user_name
Specify the user Pound will run as (must be defined
in /etc/passwd).
Group group_name
Specify the group Pound will run as (must be
defined in /etc/group).
RootJail directory_path_and_name
Specify the directory that Pound will chroot to at
runtime.
ExtendedHTTP value
if value is 1, allow extended HTTP requests (PUT,
DELETE). By default, Pound only allows GET, POST
and HEAD.
WebDAV value
if value is 1, allow WebDAV requests (LOCK,
UNLOCK). By default, Pound only allows GET, POST
and HEAD.
LogLevel value
Specify the logging level: 0 for no logging, 1
(default) for regular logging (same format as regu-
lar Web servers, such as Apache), 2 for extended
logging (show chosen backend server as well).
Alive value
Specify how often Pound will check for resurected
back-end hosts (default: 30 seconds). In general,
it is a good idea to set this as low as possible -
it will find resurected hosts faster. However, if
you set it too low it will consume resources - so
beware.
Client value
Specify for how long Pound will wait for a client
request (default: 30 seconds). After this long has
passed without the client sending any data Pound
will close the connection. Set it higher if your
clients time-out on a slow network or over-loaded
server, lower is you start getting DOS attacks.
UrlGroup "pattern"
Specify a group of backend servers based on a URL
pattern. All requests fitting the pattern will be
served by the defined servers. Pattern is a regu-
lar pattern as specified in regex(7) - extended
version. The patterns are tested in order of defi-
nition, so the last pattern should be a catch-all
.* The group ends with a EndGroup directive.
BackEnd address,port,priority
Specify a backend server: address and port. Prior-
ity is 1 to 9 and defines a weighting - higher pri-
ority servers get used more often. May only be used
in an UrlGroup directive. If no servers are speci-
fied, then the specified URLs will be simply
blocked.
Session seconds
Specify the time (in seconds) that a session will
be kept. May only be used in an UrlGroup directive.
See below for some examples.
HIGH-AVAILABILITY
Pound attempts to keep track of active back-end servers,
and will temporarily disable servers that do not respond
(though not necessarily dead: an overloaded server that
Pound cannot establish a connection to will be considered
dead). However, every alive_check seconds, an attempt is
made to connect to the dead servers in case they have
become active again. If this attempt succeeds, connections
will be innitiated to them again.
In general it is a good idea to set this time interval as
low as is consistent with your resources in order to bene-
fit from resurected servers at the earliest possible time.
The default value of 30 seconds is probably a good choice.
Set the interval to 0 to disable this feature. The clients
that happen upon a dead backend server will just receive a
503 Service Unavailable message.
HTTPS HEADERS
If a client browser connects to Pound via HTTPS and if it
presents a client certificate and if HTTPSHeaders is set,
Pound adds the following headers to the request it issues
to the server:
X-SSL-Subject
Details about the certificate owner.
X-SSL-Issuer
Details about the certificate issuer (Certificate
Authority).
X-SSL-notBefore
Starting date of certificate validity.
X-SSL-notAfter
Ending date of certificate validity.
It is the application's responsability to actually use
these headers - Pound just passes this information without
checking it in any way (except for signature and encryp-
tion correctness).
EXAMPLES
To translate HTTPS requests to a local HTTP server (assum-
ing your network address is 123.123.123.123):
ListenHTTPS 123.123.123.123,443
/etc/pound/server.pem
UrlGroup ".*"
BackEnd 127.0.0.1,80,1
EndGroup
To distribute the HTTP/HTTPS requests to three read-only
Web servers, where the third one is a newer and faster
machine:
ListenHTTP 123.123.123.123,80
ListenHTTPS 123.123.123.123,443
/etc/pound/server.pem
UrlGroup ".*"
BackEnd 192.168.0.10,80,1
BackEnd 192.168.0.11,80,1
BackEnd 192.168.0.12,80,3
EndGroup
To distribute the HTTP/HTTPS requests to two Web servers
with long session times; also change the uid/gid of the
running program and do a chroot:
ListenHTTP 123.123.123.123,80
ListenHTTP 123.123.123.123,8080
ListenHTTPS 123.123.123.123,443
/etc/pound/server.pem
User www
Group www
RootJail /var/pound
UrlGroup ".*"
BackEnd 192.168.0.10,80,1
BackEnd 192.168.0.11,80,1
Session 600
EndGroup
To separate between image requests and other Web content
and block all requests for a specific URL:
ListenHTTP 123.123.123.123,80
# Images server(s)
UrlGroup ".*.(jpg|gif)"
BackEnd 192.168.0.12,80,1
Session 0
EndGroup
# Block all requests for /forbidden
UrlGroup "/forbidden.*"
Session 0
EndGroup
# Catch-all server(s)
UrlGroup ".*"
BackEnd 192.168.0.10,80,1
BackEnd 192.168.0.11,80,1
Session 300
EndGroup
NOTES
Pound uses the system log for messages (facility LOG_DAE-
MON). The format is very similar to other web servers, so
that if you want to use a log tool:
fgrep pound /var/log/messages | your_log_tool
Translating HTTPS to HTTP is an iffy proposition: no
client information is passed to the server itself (cer-
tificates, etc) and the backend server may be misled if it
uses absolute URLs. A patch for Zope is included in the
distribution to address this issue - for other Web servers
you are on your own. May the source be with you.
Pound deals with (and sanitizes) HTTP/1.1 requests. Thus
even if you have an HTTP/1.0 server, a single connection
to an HTTP/1.1 client is kept.
AUTHOR
Written by Robert Segall, Apsis GmbH.
REPORTING BUGS
Report bugs to <roseg na apsis.ch>.
COPYRIGHT
Copyright (C) 2002 Apsis GmbH.
Další informace o konferenci Linux