This modified /etc/init.d/pound does an automatic port translation of your port
80 and 443.
Now you don't need to tinker with the configuration files of your web-server
Often these configuration-files are managed by a control panel (like Plesk)
If you start pound it will redirect the traffic to the proxy and if you stop
it, these redirections are removed and traffic can continue directly.
Note:
You do need to add an entry in your INPUT chain that opens up the TCP-port
towards the proxy.
I could have done this dynamically, but you probably want to decide where in
the INPUT-chain you want it to be.
Reloading the iptables rules will kill this NAT-rule, which means the Apache
server is listen directly.
# cat /etc/init.d/pound
#! /bin/sh
### BEGIN INIT INFO
# Provides: pound
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: reverse proxy and load balancer
# Description: reverse proxy, load balancer and
# HTTPS front-end for Web servers
### END INIT INFO
#
# pound - reverse proxy, load-balancer and https front-end for web-servers
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/pound
DESC="reverse proxy and load balancer"
NAME=pound
# Exit if the daemon does not exist (anymore)
test -f $DAEMON || exit 0
. /lib/lsb/init-functions
# Check if pound is configured or not
if [ -f "/etc/default/pound" ]
then
. /etc/default/pound
if [ "$startup" != "1" ]
then
log_warning_msg "$NAME will not start unconfigured."
log_warning_msg "Please configure; afterwards, set startup=1 in
/etc/default/pound."
exit 0
fi
else
log_failure_msg "/etc/default/pound not found"
exit 1
fi
# if pound should redirect ports
REDIRECT=1
# Fetch first ListenHTTP
POUND_PORT=`grep -A5 -im1 '^ListenHTTP *$' /etc/pound/pound.cfg | grep -i
Port | awk '{print $2}' | tr -cd '0-9'`
# Fetch first ListenHTTPS
POUND_PORTS=`grep -A5 -im1 '^ListenHTTPS' /etc/pound/pound.cfg | grep -i
Port | awk '{print $2}' | tr -cd '0-9'`
# Process name as found in netstat
PROCESS=pound
# Prefix of file containing the IPs on which the process is listening
IPLIST=/var/run/${PROCESS}.iplist
getiplist ()
{
DNAT=$1
echo -n '' >${IPLIST}.${DNAT}
if [ ! -z "${DNAT}" ] ; then
# get IP's varnish is listening to (no localhost)
netstat -lntp | grep 'tcp ' | grep ${PROCESS} | egrep -o "[0-9.]+:${DNAT}"
| grep -v '^127\.' | awk -F: '{print $1}' >${IPLIST}.${DNAT}
# if it is listening to all interfaces (0.0.0.0) then get the ipv4
interfacelist
grep -q '0\.0\.0\.0' ${IPLIST}.${DNAT} && ifconfig | egrep -o 'inet
addr:[0-9.]+' | awk -F: '{print $2}' | grep -v '^127\.' >${IPLIST}.${DNAT}
fi
}
ins_ipt_rule ()
{
DST=$1
DNAT=$2
[ -e ${IPLIST}.${DNAT} ] || return 1
echo "Check if ports need to be translated"
while read IP ; do
# check if rule isn't yet present
if ! iptables-save | grep PREROUTING | grep "${IP}" | grep "dport ${DST}" |
grep -q "${DNAT}" ; then
echo "Traffic going to ${IP}:${DST} will be translated to ${IP}:${DNAT}"
iptables -t nat -A PREROUTING -d ${IP} -p tcp -m tcp --dport ${DST} -j
DNAT --to-destination ${IP}:${DNAT}
fi
done < ${IPLIST}.${DNAT}
}
del_ipt_rule ()
{
DST=$1
DNAT=$2
[ -e ${IPLIST}.${DNAT} ] || return 1
echo "Check if port translations need to be deleted"
while read IP ; do
# check if rule is present
if iptables-save | grep PREROUTING | grep "${IP}" | grep "dport ${DST}" |
grep -q "${DNAT}" ; then
echo "Traffic going to ${IP}:${DST} will NOT be translated anymore to
${IP}:${DNAT}"
iptables -t nat -D PREROUTING -d ${IP} -p tcp -m tcp --dport ${DST} -j
DNAT --to-destination ${IP}:${DNAT}
fi
done < ${IPLIST}.${DNAT}
}
# The real work of an init script
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
if [ ! -d "/var/run/pound" ]
then
mkdir -p /var/run/pound
fi
start_daemon $DAEMON $POUND_ARGS
log_end_msg $?
# Redirect port 80 and 443
if [ ${REDIRECT} -ne 0 ] ; then
echo "REDIRECT is enabled"
sleep 1 # Wait to make sure it is listening
if [ ! -z "${POUND_PORT}" ] ; then
getiplist "${POUND_PORT}"
[ -s ${IPLIST}.${POUND_PORT} ] && ins_ipt_rule 80 ${POUND_PORT}
fi
if [ ! -z "${POUND_PORTS}" ] ; then
getiplist ${POUND_PORTS}
[ -s ${IPLIST}.${POUND_PORTS} ] && ins_ipt_rule 443 ${POUND_PORTS}
fi
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
killproc $DAEMON
log_end_msg $?
# Remove redirect for port 80 and 443
if [ ${REDIRECT} -ne 0 ] ; then
echo "REDIRECT is enabled"
del_ipt_rule 80 ${POUND_PORT}
rm -f ${IPLIST}.${POUND_PORT} 2>/dev/null
del_ipt_rule 443 ${POUND_PORTS}
rm -f ${IPLIST}.${POUND_PORT} 2>/dev/null
fi
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
killproc $DAEMON
start_daemon $DAEMON $POUND_ARGS
echo "."
;;
status)
pidofproc $DAEMON >/dev/null
status=$?
if [ $status -eq 0 ]; then
log_success_msg "$NAME is running"
else
log_success_msg "$NAME is not running"
fi
exit $status
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload|status}"
exit 1
;;
esac
# Fallthrough if work done.
exit 0
