SSL for Load Balance using Pound on Linux - http/https

By Unknown 5/13/2013 , Leave a Comment

Load balancing the traffic on web servers can now be achieved by a program named Pound on Linux.
Load Balancing refers to the computer networking process in which the workload is equally distributed among number of computers, connected within a network.

                                     As the traffic increases, the process of retrieving data, generating response and so on becomes slower. It sometimes leads to situation like server failure and huge traffic congestion. In a business hub it is very essential to be available all the time to the customers for support and other functions. Hence, in these cases server load balancing helps to manage the traffic and in turn increases the profit in ample way.

What is Pound?

Pound program can be thought of as a reverse proxy program, load balancer and a front end for HTTPS web server.
Pound was developed, keeping in mind, the need of balancing traffic load and that of an SSL wrapper class for those web servers which do not support it.
Following are its eminent features:
  •      Acts as a reverse proxy server: Reverse proxy servers are those which forward the client browser’s request to more than one back-end server.
  •        Balances the load of the traffic: It balances the load of the web server by distributing the request among several back end web servers, while keeping the session info safe.
  •         Consists of SSL wrapper: With the functionality of the SSL wrapper, Pound, decrypts the request of the client browser and forwards it to the back end servers in the form of plain text.
  •         Verifies the HTTP/HTTPS: It verifies the authenticity of the requests coming from the client’s browser.
  •        Checks for the server failure: Pound takes care of the fail-over servers, by not passing any of the requests to those servers.
  •       Redirects the request: Redirects the requests among the various web servers according to the requested URL. 

Pound is a very safe and small program. It can be easily analyzed for security issues and it is safe because it does not read the hard disk (except for the purpose of reading certificate). It runs in “chroot jail” as setuid/setgid.

Þ     For installing Pound, download and unload the source tarball.  Use the standard “/configure&&make&&make install”.
Þ     If you wish to use Pound’s SSL support functionality then specify it by “/configure-with-ssl”.
Þ     Search the Pound executables in /usr/local/sbin and look for configuration file, pound.cfg in /usr/local/etc.

Next is the step of the configuration of Pound.
 Below is a sample poun.cfg file:
ListenHTTP
Address <public IP Address>
Port <port number>
Service
  Backend
Address <IP Address>
Port <port number>
  End
  Backend
Address <IP Address>
Port <port number>
  End
End
The above file informs the Pound to accept from the public IP address and forwards the request equally to the two backend machines/servers namely Service. You can use the Priority Directive to choose between the two machines having different resources.       The priority numbers assigned to the web servers may vary from 1 to 9. “1” means the web server which is used least frequently and “9” means the web server which is used most frequently.
If the server is goes down, Pound removes it instantly from the list of available servers, balancing the servers dynamically.
Pound is able to track the sessions between the client and the server. It supports five functionalities: client IP address, basic authentication, URL parameter, cookie value, and header value. Pound allows only one session definition per service.
As for example, add the following command to the Pound config file:

Session
  Type IP
  TTL 600
End

The above file will be used for tracking the client based IP- tracking that forces the session to be active for ten minutes.
To make the Pound more secure, execute the daemon as a non-powered user. For implementing this use the User and Group directives specify the user and group as “nobody”.
Once you add Pound to your network, the backend servers will start logging the IP address of the Pound machine rather than that of the client’s IP. By default Pound forwards all the headers as a list by the client to the backend servers along with two exceptions: it will add an “X-Forwarded-For header” and it might add info about the SSL certificate too.

For recording the correct info of your log updates, use the X-Forwarded-for header.

If you are working with Apache and if you are using combined logging, please remove the letter “h” and replace it with following code:


\"%{X-Forwarded-for}i\"

                                                                                                                                                                                                                                  
          

About Author:

Abel Wike at ClickSSL.com, is one of the leading SSL security certificates provider globally and Authenticate Platinum Partner of GeoTrust. Our all certificates are same as our vendors sell directly. We are hereby; focus on SSL and related security. This allows us to be experts in the field.
Facebook –  Twitter –  Google+ 



0 comments:

Post a Comment