As of this writing, on Rocky Linux 9.0, Pound cannot be installed from the EPEL repository. While there are sources out there for SRPM packages, we can not verify the integrity of these sources. For this reason, we do not recommend installing the Pound proxy server on Rocky Linux 9.0 at this time. This may change if the EPEL once again picks up Pound. Use this procedure specifically for Rocky Linux 8.x versions.
Pound is a web server agnostic reverse proxy and load balancer that is simplistic to setup and manage. It does not use a web service, but does listens on the web service ports (http, https).
Now, many proxy server options exist, some referenced in these documentation pages. A document on using HAProxy is here and references to applying Nginx for a reverse proxy exist in other documents.
Load balancing services are quite useful for a busy web server environment. Many proxy servers exist, including the previously mentioned HAProxy, and have uses for many service types.
In the case of Pound, it is only usable for web services, but it is good at what it does.
The following are minimum requirements for using this procedure:
A desire to load balance between a few websites, or the willingness to learn a new tool to do the same.
The ability to run commands as the root user or use sudo to elevate privileges.
Familiarity with a command-line editor. The author is using vi or vim here, but substitute in your favorite editor.
Comfort with changing the listen ports on a few types of web servers.
Assuming the earlier installation of the Nginx and Apache servers.
Assuming that you are using Rocky Linux servers or containers for everything here.
While all kinds of statements regarding https are in this document, this guide only deals with the http service. To properly do https, you will need to configure your pound server with a real certificate from a real certificate authority.
Tip
If you do not have either of these servers installed, you can do so on a container environment (LXD or Docker) or on bare metal, and get them up and running. For this procedure, you must install them with their respective packages and enable and start the services. We will not be modifying them significantly in any way.
For this procedure, we are going to be using two web servers (known as back end servers), one running Nginx (192.168.1.111) and one running Apache (192.168.1.108).
Our Pound server (192.168.1.103) is the gateway.
You will be switching your listen ports on the back end servers to 8080 for the Nginx server and 8081 for the Apache server. (Showing everything below.)
Note
Remember to change the associated IPs to whatever they are in your own environment and substitute them where applicable throughout this procedure.
With the packages installed, you need to configure Pound. The author is using vi to update this, but if you prefer nano or something else, go ahead and substitute that in:
vi/etc/pound.cfg
The file has default information in it, which makes it easy to see most of the default components of Pound:
User"pound"
Group"pound"
Control"/var/lib/pound/pound.cfg"
ListenHTTP
Address0.0.0.0
Port80
End
ListenHTTPS
Address0.0.0.0
Port443Cert"/etc/pki/tls/certs/pound.pem"
End
Service
BackEnd
Address127.0.0.1
Port8000End
BackEnd
Address127.0.0.1
Port8001End
End
The "User" and "Group" - populated with the installation
The "Control" file is not used anywhere
The "ListenHTTP" section represents the service http (Port 80) and the "Address" that the proxy will listen on. You will change this to the actual IP of our Pound server.
The "ListenHTTPS" section represents the service https (Port 443) and the "Address" that the proxy will listen on. You will change this to the IP of the Pound server.
The "Cert" option is the self-signed certificate provided by the Pound install process. You want to replace this in a production environment with a real certificate using one of these procedures: Generating SSL Keys or SSL Keys with Let's Encrypt.
The "Service" section configures the "BackEnd" servers with their listening ports. You can have as many "BackEnd" servers as you need.
change the IP Address under each listen option to our Pound server IP, 192.168.1.103
change the IP Addresses and ports under the "BackEnd" sections to match our configuration found in "Conventions" above (IPs and Ports)
When you are all done modifying the configuration, your file will look something like this:
User"pound"
Group"pound"
Control"/var/lib/pound/pound.cfg"
ListenHTTP
Address192.168.1.103
Port80
End
ListenHTTPS
Address192.168.1.103
Port443Cert"/etc/pki/tls/certs/pound.pem"
End
Service
BackEnd
Address192.168.1.111
Port8080End
BackEnd
Address192.168.1.108
Port8081End
End
Since you have set the listen port for Nginx in our Pound configuration to 8080, you need to also make that change on your running Nginx server. You do this by modifying the nginx.conf:
vi/etc/nginx/nginx.conf
You just want to change the "listen" line to the new port number:
Since you have set the listen port for Apache in our Pound configuration to 8081, you need to also make that change on our running Apache server. You do this by modifying the httpd.conf:
vi/etc/httpd/conf/httpd.conf
You want to change the "Listen" line to the new port number:
Once you have your web services up and running and listening on the right ports on each of your servers, the next step is to turn up the pound service on the Pound server:
systemctlenable--nowpound
Warning
Using Nginx and Apache, as done here for demonstration, will mean that the Nginx server will almost always respond first. For this reason, to test effectively, you will need to assign a low priority to the Nginx server so that you will be able to see both screens. This speaks volumes about the speed of Nginx over Apache. To change the priority for the Nginx server, you just need to add a priority (1-9, with 9 being the lowest priority) in the "BackEnd" section for the Nginx server like this:
BackEnd
Address 192.168.1.111
Port 8080
Priority 9
End
When you open your proxy server IP in a web browser you will see one of these two screens:
One thing that you may need to do when using a load balancer such as Pound, is to take the productions servers off-line for maintenance or to have a fall-back "BackEnd" for a complete outage. Do this with the "Emergency" declaration in the pound.conf file. You can only have one "Emergency" declaration per service. In our case, this will appear at the end of the "Service" section in our configuration file:
...
Service
BackEnd
Address192.168.1.117
Port8080Priority9End
BackEnd
Address192.168.1.108
Port8081End
Emergency
Address192.168.1.104
Port8000End
End
This server might only show a message that says, "Down For Maintenance".
Something that most documents dealing with load balancing proxy servers will not deal with are security issues. For instance, if this is a public facing web server, you will need to have http and https services open to the world on the load balancing proxy. But what about the "BackEnd" servers?
Those only need accessing by their ports from the Pound server, but since the Pound server is redirecting to 8080 or 8081 on the BackEnd servers, and since the BackEnd servers have http listening on those subsequent ports, you can just use the service names for the firewall commands on those BackEnd servers.
This section will deal with those concerns and the firewalld commands needed to lock everything down.
Warning
The assumption here is that you have direct access to the servers in question and are not remote to them. If you are remote, take extreme caution when removing services from a firewalld zone!
You could lock yourself out of your server by accident.
For the Pound server, you want to allow http and https from the world. It is best to consider whether you need to allow ssh from the world or not. If you are local to the server, this is probably NOT the case. The author assumes here that the server is available via your local network and that you have direct access to it, so you will be locking down ssh to your LAN IPs.
To accomplish this, you will use the built-in firewall for Rocky Linux, firewalld and the firewall-cmd command structure. You will also use two built-in zones, "public" and "trusted", to keep things uncomplicated.
Start by adding our source IPs to the "trusted" zone. This is our LAN here (in our example: 192.168.1.0/24):
Next you need to make changes to the "public" zone, which by default has the ssh service enabled. This needs to be carefully removed (again, the author assumes that you are NOT remote to the server here!) with the following:
For the "BackEnd" servers, you do not need to allow access from the world for anything. You will need to allow ssh from the LAN IPs, and http and https from our Pound load balancer.
That is pretty much it.
Again, you are going to add the ssh service to your "trusted" zone, with the essentially the same commands used for your pound server. Then add a zone called "balance" that you will use for the remaining http and https, and set the source IPs to that of the load balancer.
To simplify things, use all of those commands that you used for the "trusted" zone in a single set of commands:
Again, test your ssh rule from an IP on the LAN, and then remove the ssh service from the "public" zone. Remember our warning earlier, and do this only if you have local access to the server!
Add that new zone to deal with http and https. Remember that the source IP here needs to only be your load balancer (in our example: 192.168.1.103):
Note
A new zone must be added with the --permanent option and cannot be used until the firewall is reloaded. Also, do not forget to --set-target=ACCEPT for this zone!
Many options are usable in your pound.conf file, including error message directives, logging options, time out values, and more. You can find what is available by looking here.
Conveniently, Pound automatically figures out if one of the "BackEnd" servers is off-line and disables it so that web services can continue without delay. It also automatically sees them again when they are back on-line.
Pound offers another option for those who do not want to use HAProxy or Nginx as for load balancing.
Pound as a load balancing server is very easy to install, set up and use. As noted here, you can use Pound as a reverse proxy, and many proxy and load balancing options exist.
And you should always remember to keep security in mind when setting up any service, including a load balancing proxy server.