[TOOL] Pound - Reverse-Proxy and Load-Balancer

From: SecuriTeam (support_at_securiteam.com)
Date: 12/03/03

  • Next message: SecuriTeam: "[NT] Websense Blocked Sites XSS" 
    To: list@securiteam.com
Date: 3 Dec 2003 19:43:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Pound - Reverse-Proxy and Load-Balancer
    ------------------------------------------------------------------------

    DETAILS

     <http://www.apsis.ch/pound/index.html> The Pound program is a reverse
    proxy, load balancer and HTTPS front-end for Web server(s). Pound was
    developed to enable distributing the load among several Web-servers and to
    allow for a convenient SSL wrapper for those Web servers that do not offer
    it natively. Pound is distributed under the GPL (with the OpenSSL
    disclaimer) - no warranty, it's free to use, copy and give away.

    What Pound is:
     1. a reverse-proxy: it passes requests from client browsers to one or
    more back-end servers.
     2. a load balancer: it will distribute the requests from the client
    browsers among several back-end servers, while keeping session
    information.
     3. an SSL wrapper: Pound will decrypt HTTPS requests from client browsers
    and pass them as plain HTTP to the back-end browsers.
     4. an HTTP/HTTPS sanitizer: Pound will verify requests for correctness
    and accept only well-formed ones.
     5. an HTTP/1.1 proxy: Pound will accept requests from HTTP/1.1 clients on
    one connection even if the back-end server is HTTP/1.0. Connections to the
    server will be reopened as necessary.
     6. a failover-server: should a back-end server fail, Pound will take note
    of the fact and stop passing requests to it until it recovers.
     7. a request redirector: requests may be distributed among servers
    according to the requested URL and the presence or absence of headers,
    based on pattern matching.

    Pound is a very small program, easily audited for security problems. It
    can run as setuid/setgid and/or in a chroot jail. Pound does not access
    the hard-disk at all (except for reading the certificate file on start, if
    required, and the pid file) and should thus pose no security threat to any
    machine.

    What Pound is not:
     1. Pound is not a Web server: by itself, Pound serves no content - it
    contacts the back-end server(s) for that purpose.
     2. Pound is not a Web accelerator: no caching is done - every request is
    passed "as is" to a back-end server. Some speed-ups may be achieved by the
    HTTP/1.1 to HTTP/1.0 proxying though.

    ADDITIONAL INFORMATION

    The tool is available from: <http://www.apsis.ch/pound/index.html>
    http://www.apsis.ch/pound/index.html.

    The information has been provided by <mailto:roseg@apsis.ch> Robert
    Segall.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Websense Blocked Sites XSS"

    Relevant Pages