pound で SSL ラッピング+負荷分散
mod_ssl を使うと apache がメモリと CPU を食いまくり、非常に効率が悪いので、pound を使って SSL ラッピングしてみます。ついでに負荷分散もできて一石二鳥です。
/etc/apache2/ports.conf の編集
- Listen 80 -> Listen 8080
/etc/site-available/example の作成
NameVirtualHost *:8080
<VirtualHost *:8080>
ServerName example.com
DocumentRoot /somewhere/example.com
<Directory />
Options Indexes FollowSymLinks
AllowOverride FileInfo
</Directory>
</VirtualHost>
<VirtualHost *:8080>
ServerName example.net
DocumentRoot /somewhere/example.net
<Directory />
Options Indexes FollowSymLinks
AllowOverride FileInfo
</Directory>
</VirtualHost>
オレオレ証明書の作成
$ sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
pound のインストール
$ sudo apt-get install pound
/etc/default/pound の編集
- 「startup=1」に変更する
/etc/pound/pound.cfg の編集
## Minimal sample pound.cfg
##
## see pound(8) for details
######################################################################
## global options:
User "www-data"
Group "www-data"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 0
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine "<hw>"
######################################################################
## listen, redirect and ... to:
## redirect all requests on port 8080 ("ListenHTTP") to the local webserver (see "Service" below):
ListenHTTP
Address 192.168.xxx.xxx
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
Service
BackEnd
Address 127.0.0.1
Port 8080
End
End
End
ListenHTTPS
Address 192.168.xxx.xxx
Port 443
Cert "/etc/apache2/ssl/apache.pem"
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
Service
BackEnd
Address 127.0.0.1
Port 8080
End
End
End
