We had a problem with Pound 2.5 failing the "Beast Attack" test on https://www.ssllabs.com/ssltest/
We upgraded to Pound 2.7a to get round this, but had some problems with the new threading model crashing under load (above ~110 threads). Just to share with other people that might hit this problem the pound config file we've now implemented to get round both these problems and get an A rating on the ssllabs test. You will want to hack this to your requirements. I would really like it if Pound 2.7 proper would allow for implementation of the old threading model as per http://goochfriend.org/pound/pound_2.6_threadmodels.patch (please note we didn't apply this patch, we just set the # of threads to 4096) ======================================================================== # File starts on next line, server detail stuff has been removed User "www-data" Group "www-data" Control "/var/run/pound-socket" LogLevel 3 Alive 5 Client 120 # Increase the threads to 4096 - we tried 16000 but it didn't like it Threads 4096 ListenHTTP Address 0.0.0.0 Port 80 Service BackEnd Address W.X.Y.Z Port 80 TimeOut 60 End End End ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/XXXX.pem" AddHeader "X-Was-Using-Https: on" # These bits are key to resist the Beast SSLAllowClientRenegotiation 0 SSLHonorCipherOrder 1 # A good ciphers list that means we get a good rating on ssllabs Ciphers "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" Service BackEnd Address A.B.C.D Port 80 TimeOut 180 End BackEnd Address E.F.G.H Port 80 TimeOut 180 End .. ETC Session Type COOKIE ID "PHPSESSID" TTL 600 End End End -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
