installing pound on openbsd

pound is a http reverse proxy and load balancer

we are running pound on a firewall that nat's our administrative network. there are devices (disk arrays, temperature monitors, upses, etc) on that network that have webservers on them that we'd like to be able to view remotely. however, because we have multiple different devices, we need a layer 7 proxy that can map the requests for us. pound does exactly this

in conjunction with authpf(8), we can grant very fine-grained access to those device web pages

building pound is rather straightforward. it requires a threaded version of openssl, which is not yet the default case on the free *bsd operating systems. however, building a threaded version is fairly straightforward

first, download the source for each program to a temporary location on your hard drive

now, we'll build a threaded openssl. to keep it separate from the openssl libraries that come as a part of openbsd, we'll install ours into /usr/local/openssl (which is actually a symlink). i like to keep custom-built (read: not from ports(7)) packages in /usr/local/packagename-package-version. in this case, for openssl, we'll create a new directory, /usr/local/openssl-0.9.8, and create a symbolic link, /usr/local/openssl, to point there

cd /usr/local
mkdir openssl-0.9.8
ln -s openssl-0.9.8 openssl

after extracting the openssl sources, change into the newly created source directory. we now need to run config to get the openssl makefiles created and configured to our specifications. after running config, we'll run make, then make test to make sure everything is ok. finally, we'll run make install to install everthing

./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl threads zlib shared
make
make test
make install

depending on your machine, make, make test, and make install could take quite a while. so, after some time, you'll now have a threaded openssl installation available for your use in /usr/local/openssl. but, before we build pound, we need to tell ldconfig(8) where to find our new libraries. you can do a

ldconfig /usr/local/openssl/lib

but that will only last until the next reboot. to make it permanent, consider doing the following:

grep shlib /etc/rc.conf >> /etc/rc.conf.local

then, edit /etc/rc.conf.local, and make the shlib_dirs line read

shlib_dirs="/usr/local/openssl/lib"		# extra directories for ldconfig, separated by space

now you should be set and your system should be ready to handle the threaded openssl installation. now, it's time to build pound

pound is very easy to build. we'll install it in /usr/local (it defaults there), and keep our configuration file, pound.cfg, in /etc/pound. extract the source file, then change into the newly created source directory

mkdir /etc/pound
./configure --sysconfdir=/etc/pound --with-ssl=/usr/local/openssl
make
make install

pound is fairly small and compiles fairly quickly (~2 minutes on a p3-450). once it is done building and you have installed it, you will need to create your configuration file, /etc/pound/pound.cfg. here is a sample:

# Global directives
ListenHTTP 1.2.3.4,80
User proxy
Group proxy
RootJail /var/empty
Server 3
LogLevel 1

UrlGroup ".*"
HeadRequire Host ".*scoobydoo.com.*"
BackEnd 172.31.255.201,80,9
EndGroup

UrlGroup ".*"
HeadRequire Host ".*scrappydoo.com.*"
BackEnd 172.31.255.202,80,9
EndGroup

once your configuration file has been created, all that's left to do is to tell openbsd to start it at boot. this is easily accomplished by adding the following to the 'local daemons' section of /etc/rc.local

if [ -x /usr/local/sbin/pound ]; then
	echo -n " pound";	/usr/local/sbin/pound >/dev/null 2>&1
fi