Pound is a program of HTTP/1.1 reverse-proxy and load-balancer. It is wonderful software, because it is very simple and small code. The performance and stability are depending on openssl and pthread library.
Latest stable version of Pound is v1.7.
Changes in this version:
- Fixed bug in X-SSL-CIPHER description: the description no longer causes problems by breaking the request - Changed README to stx format for consistency - Addedd X-SSL-certificate with full client certificate contents - changed the old-style responses to support "streaming" mode. This should help especially OpenACS users: - Improved the response times on HTTP/0.9 (content without Content-length) - Improved response granularity on above - using unbuffered BIO functions now - Fixed problem with IE/SSL (SSL_set_shutdown) - Avoid error messages on premature EOF from client - Fixed HeadRemove code so all headers are checked without exception - Improved autoconf detection and fixed various compile-time problems - Moved from select() to poll() in order to avoid limitations on the number of descriptors
Changes in this version:
- Callback for RSA ephemeral keys: - generated in a separate thread - used if required this will allow certain versions of IE to work correctly with Pound/SSL. - New X-SSL-cipher header encryption level/method - Added CheckURL parameter in config file - perform syntax check only if value 1 (default 0) - Allow for empty query/param strings in URL syntax - Additional SSL engine loading code - Added parameter for CA certificates - CA list is sent to client - Verify client certificates up to given depth - Fixed security vulnerability in syslog handling
The reason foe this rather hasty announcement: a security vulnerability was brought to my attention (many thanks to Akira Higuchi). Everyone running any previous version should upgrade to 1.6 immediately - the vulnerability may allow a remote exploit. No exploits are currently known and none have been observed in the wild till now. The danger is minimised if you run Pound in a root jail and/or you run Pound as non-root user.
There are some convenient patches.
There are some problems in Pound-1.7.
When the Pound upgraded to 1.7 from 1.6, did not call poll() exactly at listening both HTTP and HTTPS port. So Pound seems to be going on hung up at receiving HTTP request.
If you write the following configuration at pound.cfg, an error occurs. e.g.
### Listen HTTP and HTTPS port ListenHTTP *,80 ListenHTTPS *,443 /etc/pound/server.pem
This is the bug of main() at "pound.c". Checking the value of "polls[n].revents" while working loop, but the variable of "n" is used temporarily. The variable of "n" might be destroyed at that time.
This patch corrects calling poll().
Save the Pound-1.7-fix_poll.patch.
# wget http://namazu.org/~takesako/pound/Pound-1.7-fix_poll.patch # tar zxvf Pound-1.7.tgz # cd Pound-1.7 # patch -p1 < ../Pound-1.7-fix_poll.patch
There are some problems in Pound-1.5.
When the Pound upgraded to 1.5 from 1.4, gloval direcvites of URL matching such as 'CSsegment', 'CSparameter', 'CSqid', 'CSqval' and 'CSfragment' was added.
If you access the following URL via Pound-1.5, an error occurs.
e.g. http://www.example.com/cgi-bin/printenv.cgi? http://www.example.com/cgi-bin/printenv.cgi?a=1&
It returns the following error message.
"501 Not Implemented" This method may not be used.
This is the bug of check_URL() at "http.c".
This patch corrects URL matching of check_URL().
Save the Pound-1.5-fix_check_url.patch.
# wget http://namazu.org/~takesako/pound/Pound-1.5-fix_check_url.patch # tar zxvf Pound-1.5.tgz # cd Pound-1.5 # patch -p1 < ../Pound-1.5-fix_check_url.patch
This is a simple unit test program of fixed check_URL().
# gcc -o t01-check_url t01-check_url.c # ./t01-check_url