Posted: Thu Feb 10, 2011 13:26 Post subject: Re: Question on pound and port 80 to 80
Andy120 wrote:
I want to run pound with listening external port 80 to internal ports 80 as well so i don't need to change every internal web to port 8080 (for example).
You don't have to...
My script already has a simple NAT-rule that redirects all traffic on port 80 to to port 8080 on the LAN-interface....
These lines are the same as the ones that would translate traffic to a server on your LAN.
Do you have USB-storage?
If so, please install OTRW and find out.
It will create the complete config for you. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Hi, I need help with configuration, I spend more than 2 weeks of reading forum and google, but I stuck.
Router (192.168.7.1): Asus N16
WAN (download/upload) 1Mb/512kb
Firmware: DD-WRT v24-sp2 (12/24/10) big (15962)
Pound installed with Optware (Optware the Right Way)
WebServer on qnapNAS (192.168.7.20:80)
Changes in /opt/etc/init.d/S80pound:
1. change path to config file::
Code:
CONFDIR=/opt/pound
2. prevent to run "write_config" during start::
Code:
# Start/Stop/Status pound
case "$rc" in
start)
echo "Writing $CONF"
## write_config
echo "Starting $NAME"
if [ ! -z "`pidof $NAME`" ]; then
echo "$NAME already running"
else
if [ ! -e $CONF ]; then
echo "missing $CONF"
exit 1
fi
[ -e "`readlink /tmp/etc/config/pound.wanup`" ] || pound_tables
$DAEMON -v -f $CONF
fi
;;
Config file for Pound /opt/pound/pound.cfg:
Code:
User "pound"
Group "nobody"
TimeOut 120
Alive 30
Control "/var/run/pound.ctl"
LogLevel 3
ListenHTTP
Address 192.168.7.1
xHTTP 3
Port 7777
Service "qnapnas"
HeadRequire "^Host:[\t ].*media\.xxxxxxx\.yy$"
Backend
Address 192.168.7.20
Port 80
end
end
End
Port forward:
My problem is performance. When I download file (700MB) from WebServer thought pound (port 80 on WAN inteface) I have 1Kb/s, but if I make Port Forward (port 88) directly to WebServer, speed is about 50Kb/s.
In both cases, CPU load on router is about 2%.
User "pound"
Group "nobody"
TimeOut 120
Alive 30
Control "/var/run/pound.ctl"
LogLevel 3
ListenHTTP
Address 192.168.10.1
xHTTP 3
Port 81
Service "mydomain.dyndns.org"
HeadRequire "^Host:[\t ].*mydomain\.dyndns\.org$"
Backend
Address 192.168.10.1
Port 8080
end
end
Service "Default"
BackEnd
Address 10.63.63.1
Port 80
End
End
End
It works like a charm but now I cannot see visito's ip on lighttpd acces.log.
Small example:
before using pound:
Can I have somehow pound running and acces.log with nice visitor ip show instead of 192.168.10.1?
LE:
I figured myself after googling.
Under lighttpd\conf.d dir create a file named 20-mod_extforward.conf to be sure lighttpd loads this module before 10-php-fcgi!
i have BS 14929 on my wrt600n with optware... what i am trying to do is be able to type "pictonstreet" into my browser and it directs to a site on my server, which also runs a separate website. but i can't seem to get it to work.
i am using pound to redirect to the server, i think that is the way, here are my configs:
services:
127.0.0.1 localhost
192.168.1.1 DD-WRT
192.168.1.120 server
192.168.1.101 gobbledigook
192.168.1.120 pictonstreet
my /tmp/pound/pound.conf:
Code:
User "pound"
Group "nobody"
TimeOut 360
Alive 30
Control "/var/run/pound.ctl"
LogLevel 3
ListenHTTP
Address 192.168.1.1
xHTTP 3
Port 8080
Service "dd-wrt"
HeadRequire "^Host:[\t ]*dd-wrt$"
Backend
Address 192.168.1.1
Port 80
end
end
Service "server"
HeadRequire "^Host:[\t ]*server$"
Backend
Address 192.168.1.120
Port 80
end
end
Service "gobbledigook"
HeadRequire "^Host:[\t ]*gobbledigook$"
Backend
Address 192.168.1.101
Port 80
end
end
Service "pictonstreet"
HeadRequire "^Host:[\t ]*pictonstreet$"
Backend
Address 192.168.1.120
Port 80
end
end
Service "Default"
BackEnd
Address 192.168.10.130
Port 80
End
End
End
nvram set lan_domain=mydomain.com
nvram commit
reboot
Edit: You can also update S80pound. The '$' signs spoils your party. Because you haven't set the lan_domain the full domain will not get in your hostfile.
I therefore rewrote it a bit and the '$'-sign is only inserted if there's a dot in the domainname....
I had another check at your apache config and it's not going to work as you think it should. I have a wildcard for 'mirmana.com' and in my /etc/hosts there's an entry
192.168.10.210 wd.mirmana.com
This will direct all traffic for wd.mirmana.com to that webserver
Code:
Service "wd.mirmana.com"
HeadRequire "^Host:[\t ]*wd\.mirmana\.com$"
Backend
Address 192.168.10.210
Port 80
end
end
You could create a file called pound.header to make some custom additions, but I don't think it is necessary.....
# cat /opt/etc/pound/pound.header
Code:
Service "www.gobbledigook.homelinux.net"
HeadRequire "^Host:[\t ].*www\.gobbledigook\.homelinux\.net$"
BackEnd
Address 192.168.1.101
Port 80
End
End
Service "www.pictonstreet.net"
HeadRequire "^Host:[\t ].*www\.pictonstreet\.net$"
BackEnd
Address 192.168.1.120
Port 80
End
End
It's also possible to create a pound.tail that will create another tail to the config.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
You can then easily test on your local network if that domain will bring you to your apache server.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
but my 29pictonst.net and gobbledigook.homelinux.net are on the same internal IP.
dd-wrt server and gobbledigook in /etc/hosts appear there by themselves and after i worked out that pound pulls the data for its .conf from the same file i realised i needed to get that one entry into the file...
the method i used was specified by the wiki, i had a feeling i could probably do it using additional DNSMasq options... just didn't know the syntax, the wiki answer popped up first
just checked again, and the additional dnsmasq is given as a second option.... guess i should read the whole page instead of being in a hurry!! changed
wd.mirmana.com points to /var/www/vhosts/com/mirmana/wd
www.mirmana.com points to /var/www/vhosts/com/mirmana/www
This will fix your logging in Apache to deal with the reverse proxy. If an X-Forwarded-For is inside the http data it will use that IP in the log instead of the proxy's IP
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
however the pictonst.net i ONLY want to be available to internal connections, like an intranet?
i thought that was what i was configuring pound for, i will go over all the config again tonight and check i have the right ip's in the right place :?
the rest of that reply is over my head i simply don't understand it... i don't really want pictonstreet.net to be a subdomain of gobbledigook.homelinux.net caue wouldn't that be pictonstreet.gobbledigook.homelinux.net ? bit long to type in, maybe i need to rethink my whole approach?
nothing to do till i get back from work, but thanks a lot fo your help, i really appreciate it :)
EDIT:
i think i see what is going on:
/etc/hosts/ now reads:
Code:
127.0.0.1 localhost
192.168.1.1 DD-WRT
192.168.1.120 server
192.168.1.101 gobbledigook
192.168.1.120 pictonstreet
but pound see's "gobbledigook" (my computer name on *.101) and redirects www.gobbledigook.homelinux.net to that rather that to my server @ *.120
/tmp/pound/pound.conf:
Code:
Service "gobbledigook"
HeadRequire "^Host:[\t ]*gobbledigook$"
Backend
Address 192.168.1.101
Port 80
end
end
if i remove gobbledigook from /etc/hosts/ will this fix? or do i need to change the broadcast name of server
Posted: Wed Feb 23, 2011 7:58 Post subject: dd-wrt and pound, block bad requests on your website
A few days ago i started playing with pound. I ran a small testing web-server on my rt-n16 unit and after a while attacks from various scanners started to appear.
My days of searching a way to fight back are over. Now only pound.cfg needs to be improved.
Here's my current pound.cfg config:
Code:
User "pound"
Group "nobody"
TimeOut 250
Alive 30
Client 30
Control "/var/run/pound.ctl"
LogLevel 3
ListenHTTP
Address 192.168.10.1
HeadRemove "X-Forwarded-For"
Port 81
xHTTP 3
Service "blacklisted_agents"
HeadRequire "User-Agent:.*(Microsoft URL Control|Microsoft Office|Wget|curl|AdobeAIR|Apache|Brutus|ColdFusion|DataCha0s|DTS Agent|BackStreet Browser|Firebat|Web Downloader|Offline Explorer|Internet-exprorer|Indy Library|Gigamega|compatible ; MSIE|EmailCollector|LiteFinder|Missigua|MJ12bot|Nutch|OCP HRS|Jenaie|libwww|HistoryHound|HttpClient|HTTrack|HTTP Fetcher|Snoopy|WebCopier|XMLHTTP)"
Redirect "http://www.microsoft.com"
end
Service "mydomain.dyndns.org"
HeadRequire "^Host:[\t ].*mydomain\.dyndns\.org$"
Backend
Address 192.168.10.1
Port 8080
end
end
#For everything else pound send e503: no service
End
NoService
#################################################################
root@rt-n16:~# cat /tmp/var/log/messages | grep pound | grep 503
Feb 23 01:45:15 rt-n16 daemon.notice pound: (2c04) e503 no service "GET //phpMyAdmin/ HTTP/1.1" from 116.255.163.100
Feb 23 01:45:16 rt-n16 daemon.notice pound: (3004) e503 no service "GET //phpmyadmin/ HTTP/1.1" from 116.255.163.100
Feb 23 01:45:16 rt-n16 daemon.notice pound: (3404) e503 no service "GET //mysql/ HTTP/1.1" from 116.255.163.100
Feb 23 01:45:17 rt-n16 daemon.notice pound: (3804) e503 no service "GET // HTTP/1.1" from 116.255.163.100
Feb 23 03:05:52 rt-n16 daemon.notice pound: (4004) e503 no service "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" from 178.63.51.11
I have found a huge bad user agents list and i wonder if it can be somehow used in pound.cfg
frater ?
That's a way of handling things, but it keep on taking resources...
I wrote S98stophack that will check the log for 'pound' entries, extract their IP and will put it in /opt/etc/asia.spam or if you have the smaller list /opt/etc/birma.spam
That file is used by S95asiablock or S95birmablock.
After a while your /opt/etc/birma.spam looks like this:
# cat /opt/etc/birma.spam
Code:
114.80.93.51/32 # CHINANET-SH
114.80.93.55/32 # CHINANET-SH
124.115.0.159/32 # CHINANET-SN
124.115.0.21/32 # CHINANET-SN
124.115.4.193/32 # CHINANET-SN
193.200.241.235/32 # GIGAHOSTING
207.241.230.78/32 # INTERNET-ARCHIVE-1
207.46.13.53/32 # MICROSOFT-GLOBAL-NET
207.46.204.179/32 # MICROSOFT-GLOBAL-NET
66.249.66.105/32 # GOOGLE
66.249.66.238/32 # GOOGLE
66.249.66.240/32 # GOOGLE
66.249.66.243/32 # GOOGLE
66.249.66.97/32 # GOOGLE
66.249.66.99/32 # GOOGLE
66.249.71.114/32 # GOOGLE
66.249.71.166/32 # GOOGLE
66.249.71.203/32 # GOOGLE
66.249.71.246/32 # GOOGLE
79.165.184.21/32 # Neo-CNT
81.30.169.27/32 # VNTPNET
93.158.145.28/32 # YANDEX-93-158-145
Check it out... (it's currently being discussed in the OTRW thread, so go there please) _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Folks,
I have been reading this thread. I have been looking for a solution, I am trying srv records with my DNS provider but not sure it is going to swim.
I have a WNDR3700v2 has 16m ram and 64m of flash. I do a ps |grep pound and see that it is in there, but I have been all over the place on all of the documentation, all I want this thing to do is take a connection coming from the outside and route it to one of several routers based on the incoming connection.
Here are the examples
citrus.fruit.com > www.fruit.com:8081
apples.fruit.com > www.fruit.com:8082
juice.fruit.com > www.fruit.com:8083
All of these web servers reside on VM's. I do not need anything fancy, all I want is when the customer uses their URL it goes to the proper VM which has one of those ports.
The VM's reside on a ESXi server, and after some appropriate time a given VM will be moved to a physical server at the customer site, so for some period of time I will end up redirecting the connection out to the customer site, but that is later on, right now I just want to set this up.
I have plenty of space on the router, so I do not believe I need to worry about space, and as I indicated it appears that pound is already in there.
I could just tell the customer to user the URL:portnumber, but they tend to go green when you ask them to do anything more than a "/"..