/ Zope / Apsis / Pound Mailing List / Archive / 2015 / 2015-11 / New User - Some Pound 2.7/2.7 Questions

[ << ] [ >> ]

[ Add HSTS Header / "Drew Green, MCSE, ... ] [ Debian/Ubuntu PPA for Pound 2.7f / Mike Slinn ... ]

New User - Some Pound 2.7/2.7 Questions
"paul.hutchings" <paul.hutchings(at)protonmail.com>
2015-11-14 16:59:12 [ FULL ]
Hi,

I just got Pound up and running and have a few questions based on what I think
I know from scouring the mailing list archives.

Firstly, amazing piece of software :)

Threads - we're putting Pound in front of an Exchange box to handle OWA,
ActiveSync, and RPC over HTTPS traffic.

We have a few hundred users and using the default 128 threads things soon seemd
to grind to a halt and I found that upping the threads to 512 seems fine, but
it doesn't seem very scientific - what is the suggested way to determine how
many threads are needed please?

Sanitizing - the website says Pound "sanitizes" HTML, any info on what it looks
for and/or strips out please?

Debian - is 2.7 is in the pipeline anywhere as with 2.6 I can only get a "B" on
SSL Labs due to 1024 DHE keys in the .deb - maybe not a question for here.

I did follow this guide and appear to have a working 2.7 package with 2048 bit
DH - be interested in any thoughts on if it's doomed to fail http://blog.fili.nl/updating-a-debian-package-with-a-new-upstream-release/

Lastly, any suggestions on anything obvious that I've missed please? :)

## pound.cfg
######################################################################
## global options:
User "www-data"
Group "www-data"
#RootJail "/chroot/pound"

## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 3

## check backend every X secs:
Alive 30

## use hardware-accelleration card supported by openssl(1):
#SSLEngine ""

# poundctl control socket
Control "/var/run/pound/poundctl.socket"

# additional settings
Threads 512
IgnoreCase 1
Grace 3
TimeOut 3600

######################################################################
## https (443)

ListenHTTPS

Address 1.2.3.4
Port 443
Cert "/etc/ssl/cert.pem"
Ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLHonorCipherOrder 1
xHTTP 4
Client 60

Service "Exchange"
URL
"^/autodiscover|^/ecp|^/ews|^/exchange|^/exchweb|^/microsoft-server-activesync|^/oab|^/owa|^/public|^/rpc|^/rpcwithcert"
HeadRequire "Host: .*(autodiscover.domain.com|mail.domain.com).*"
Backend
Address 2.3.4.5
Port 443
HTTPS
End
End

Service "www-443"
Redirect "http://www.corp dot com/"
End

End
Attachments:  
text.html text/html 4901 Bytes

MailBoxer