Wednesday, October 11, 2006

Pound as a Proxy

We have been using Pound as a proxy to protect a ColdFusion Application server from the internet and limit its exposure to malicious traffic.

I think it is a very good system even though we aren't using it to its full potential yet, from what I have read about it it is able to do load-balancing and clustering and other cool stuff.

It can be a bit of a pain to get it to stop and start as a Daemon but other than that it is very good. It also handles the SSL for the servers behind it, as a standard Win32 Apache 2.0 installation doesn't come with the SSL component, any of the other servers that use SSL and Apache2/Win32 has to have an additional module added and configured, which to be honest is a bit of a pain.

To get pound to do SSL, its a matter of installing openssl, generating your keys and CSRs and certificates, then putting the key and Certificate into one file with a .pem extension and pointing the pound config at it! Restart Pound and you are laughing.

A word of warning, make sure to match up the key to the certificate and that the key is not password protected (see this blog post for more info) as well as that you are not allowed to have any trailing spaces in the .pem file, it makes Pound barf and it is not at all easy to debug when you get the config wrong. A bit of a hint (in Debian at least) is that if Pound doesn't start correctly, the bash prompt will be on the same line as Pound Restarting like

Pound Restarting:servername:/etc/init.d#

I found the above useful but other than that Pound is no help when it comes to finding out what is wrong.

No comments: