Pound
*****
This edition of the 'Pound Manual', last updated 21 August 2024,
documents 'pound' version 4.13.
Copyright (C) 2024 Sergey Poznyakoff
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.3 or any later version published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts, and
no Back-Cover Texts. A copy of the license is included in the
section entitled "GNU Free Documentation License."
Pound
1 Overview
2 Introduction
3 Usage
4 Simple Proxy
4.1 Service Selection
4.1.1 Regular Expressions
4.1.2 ACL
4.2 Request modifications
4.3 Conditional branches
4.4 Modifying responses
4.5 Authentication
4.6 Redirects
4.7 Error responses
5 HTTPS
5.1 ACME
5.2 Redirect HTTP to HTTPS
5.3 HTTPS backends
6 Request balancing
6.1 Sessions
7 Worker model
8 Logging
9 Configuration
9.1 Lexical structure
9.2 Syntax
9.3 String Expansions
9.3.1 Backreference expansion
9.3.2 Request Accessor Interpretation
9.4 Global directives
9.4.1 Runtime directives
9.4.2 Worker Settings
9.4.3 Proxy Tuning Directives
9.4.4 SSL Settings
9.4.5 Regular Expression Settings
9.4.6 ACL Definition
9.5 File inclusion
9.6 Logging configuration
9.7 Control socket settings
9.8 Timeouts
9.9 ListenHTTP
9.9.1 Listener address
9.9.2 Listener-specific limits
9.9.3 Error definitions
9.9.4 Listener logging
9.9.5 Request Modification
9.9.5.1 The 'rewrite' statement
9.9.6 Response Modification
9.9.6.1 The 'Rewrite response' statement.
9.9.7 Service definitions
9.10 ListenHTTPS
9.11 Service
9.11.1 Service Selection Statements
9.11.2 Request and Response Modification
9.11.3 Service Logging
9.11.4 Backends
9.11.4.1 Backend
9.11.4.2 Globally Defined Backends
9.11.4.3 Special Backends
9.11.5 Session
9.11.6 Other Statements
10 poundctl
10.1 'poundctl' commands
10.2 'poundctl' options
10.3 'poundctl' template
10.3.1 Template syntax
10.3.1.1 Actions
10.3.1.2 Arguments
10.3.2 Pipelines
10.3.3 Variables
10.3.4 Input object
10.3.4.1 Full listing
10.3.4.2 Listener
10.3.4.3 Service
10.3.4.4 Backend
Appendix A Metric Families
Appendix B Time and Date Formats
Appendix C GNU Free Documentation License
Index
1 Overview
**********
'Pound' is a reverse proxy, load balancer and HTTPS front-end for Web
servers. It was developed to provide for even distribution of load
between backend httpd servers and to allow for a convenient SSL wrapper
for those servers that do not offer it natively.
The core principles of its design are simplicity and safety. 'Pound'
is a very small program, easily audited for security problems. Normally
it runs as a non-privileged user, and can optionally be run in a
chrooted environment. With several exceptions, it does not access the
hard disk during its runtime. In short, it should pose no security
threat to the server it runs at.
The original version of 'pound' was written by Robert Segall at Apsis
GmbH(1). In 2018, I added support for newer OpenSSL to the then current
version of the program (2.8). This version of 'pound', hosted on
'github' was further modified by Rick O'Sullivan and Frank Schmirler,
who added WebSocket support.
On April 2020, Apsis started development of 'pound' 3.0 - essentially
an attempt to rewrite program from scratch, introducing dependencies on
some third-party software.
On 2022-09-19, the development and maintenance of 'pound' was
officially discontinued and Apsis GmbH was dissolved. Following that, I
decided to continue development of the program taking my fork as a base.
I considered the branch 3.0, which emerged for a short time before the
original project was abandoned, to be a failed experiment. To ensure
consistent versioning and avoid confusion, my versioning of 'pound'
started at number 4.0.
---------- Footnotes ----------
(1)
2 Introduction
**************
The job of a proxy server is to receive incoming HTTP or HTTPS requests,
route them to the corresponding web server ("backend"), wait for it to
reply and forward the response back to the querying party. If more than
one backend is configured to serve requests, the proxy should distribute
requests evenly between them, so that each backend gets a share of
requests proportional to its capacity.
'Pound' gets information about backends and instructions on HTTP
request routing from its configuration file 'pound.cfg'. It is located
in the "system configuration directory", which is normally '/etc'(1).
Syntactically, the configuration file is a sequence of "statements" and
"sections", separated by arbitrary amount of empty lines and comments.
A "simple statement" occupies a single line and consists of a keyword
("directive") and one or more values separated by whitespace. A
"section" is a compound statement that encloses other statements and
sections. Sections begin with a keyword, optionally followed by
arguments, and end with a word 'End' on a line by itself. All keywords
are case-insensitive.
The configuration file defines three kinds of objects: "listeners",
"services", and "backends". These are defined as configuration
sections.
A "listener" defines IP address (and optionally port), 'pound' will
be listening on for incoming requests. It can also be regarded as a
frontend definition. Listener declarations start with 'ListenHTTP' (for
plaintext HTTP frontends) or 'ListenHTTPS' (for HTTPS frontends)
keywords.
"Service" sections define rules that decide to which backend to route
requests received by the listeners. These rules normally involve
analysis of the requested URL or HTTP headers. A service may also
contain statements that modify requests or responses.
Services are normally declared inside listeners. Thus, when a
listener receives a request, it iterates over its services (in the order
of their appearance in the configuration file) to find the one that
matches the request. If such a service is found, it receives the
request and eventually passes it on to a backend.
Services may also be declared outside any listeners, in the global
scope. Such services are shared between all listeners. They are tried
if none of the services declared within a listener match the incoming
request.
Service declarations start with the 'Service' keyword.
"Backends" are objects that actually handle requests and produce
responses. Most often these are "regular backends", which declare IP
addresses and ports of servers that are to handle the requests.
Backends are defined inside of services, so that the service that
matched the request routes it to its backend. If more than one backend
is defined within a service, incoming requests will be distributed so
that each backend gets its share of the load.
Several special backend types are provided, such as emergency
backends, redirects, etc. Only one special backend can be declared for
a service, and it cannot be used together with other backend types.
Thus, an average request processing looks as follows. First, a
request is received by one of the listeners. The listener then iterates
over its services, until it finds one that matches the request. If no
such service was found, the listener retries the process with the
services defined in the global scope. If no matching service is found,
a 503 error ('Service Unavailable') is returned. Otherwise, if the
matching service was found, that service passes the request to one of
its backends. It may modify the request before that, if it is
instructed so by the configuration. Once the backend responds, the
service passes the response back to the listener (again, optionally
modifying it, if needed), which finally passes it back to the querying
party.
---------- Footnotes ----------
(1) The exact location depends on compilation options. When in
doubt, examine the output of 'pound -V'.
3 Usage
*******
When started, 'pound' first parses its configuration file. If any
errors are detected at this stage, it prints the appropriate diagnostics
on the standard error and exits with code 1. Otherwise, if the
configuration file is OK, 'pound' opens sockets declared in the listener
sections, detaches itself from the controlling terminal and starts
serving incoming requests. From that moment on, all diagnostic messages
are reported via 'syslog' (*note Logging::).
To check whether the configuration file is correct, run 'pound' with
the '-c' (for "check") configuration option:
pound -c
Started this way, 'pound' will check the configuration file, report
any errors, if found, and exit with status 0 if there are no errors or 1
otherwise. The option '-v' can be used to increase the verbosity level.
In particular, it instructs 'pound' to print a confirmation message on
standard error, if no errors have been encountered (by default it would
exit silently in this case).
To use alternative configuration file, supply its full pathname with
the '-f' option, e.g.:
pound -f /etc/pound/test.cfg
If you are experimenting with new configurations, you might want to
run 'pound' in foreground mode and have it print its diagnostics on the
standard error. This is done by the '-e' option. So, for testing
purposes, it is quite common to start it this way:
pound -e
Another option, '-F', has similar effect, except that it honors
logging settings from the configuration file (*note Logging::), i.e.
when used with this option, 'pound' will remain in foreground, but will
report its messages in accordance with its configuration file.
The following table summarizes all command line options:
'-c'
Check configuration file for syntax error and exit. Exit code
indicates whether the configuration is OK (0) or not (1).
'-e'
Start in foreground mode and log to standard error (or standard
output, for messages with LOG_DEBUG and LOG_INFO severity levels).
This option ignores the 'LogLevel' configuration setting (*note
Logging::).
'-F'
Foreground mode. Do not detach from the controlling terminal after
startup, but remain in the foreground instead. This overrides the
'Daemon' configuration setting (*note Daemon::). The log stream
(syslog facility or stderr) requested in the configuration file
remains in effect.
'-f FILE'
Read configuration from the supplied FILE, instead of from the
default location.
'-h'
Print short command line usage summary and exit.
'-p FILE'
Sets location of the "PID file". This is the file where 'pound'
will write its PID after startup. This option overrides the value
set by the 'PIDFile' configuration setting (*note PIDFile::).
'-v'
Verbose mode. During startup, error messages will be sent to
stderr (stdout, for 'LOG_DEBUG' and 'LOG_INFO' severities). If
'pound' is configured to log to syslog, error diagnostics will be
duplicated there as well. After startup the configuration settings
take effect.
When used with '-c' this option also instructs 'pound' to print an
extra confirmation message on standard error, if there are no
errors in the configuration file.
'-V'
Print program version, licensing terms, and configuration flags and
exit with status 0. You can use this option, in particular, to get
the default values 'pound' was built with, such as e.g.
configuration file location.
'-W FEATURE'
'-W no-FEATURE'
Enable or disable (if prefixed with 'no-') additional 'pound'
features. As of version 4.13, the following features are
implemented:
-- Feature: warn-deprecated
When parsing the configuration file, warn if it uses any
deprecated statements. This is the default. To suppress
deprecation messages, use '-W no-warn-deprecated'.
-- Feature: dns
Resolve host names found in configuration file and returned in
the 'Location:' header. This is the default.
You can use '-W no-dns' to disable it, in order to suppress
potentially lengthy network host address lookups. Make sure
if your configuration file refers to backends only by their IP
addresses in this case.
This setting affects also redirection location rewriting:
*Note RewriteLocation: Response Modification.
-- Feature: include-dir=DIR
-- Feature: no-include-dir
This controls the "include directory", i.e. the directory
where 'pound' looks for relative file names referred to in its
configuration file. *Note include directory::, for a detailed
discussion of this feature.
Using '-W include-dir=DIR' sets the new value of the include
directory.
By default, the system configuration directory is used as
include directory, so that any relative file names are looked
up there. To disable this, use the '-W no-include-dir'
option. This means that each relative filename used in
arguments to the directives in the configuration file will be
looked up in the current working directory. This is useful
mainly in testsuite.
4 Simple Proxy
**************
In this chapter we will deploy several simplest proxying configurations
to illustrate the concepts introduced above.
Suppose you have an HTTP server running on localhost port 8080, and
want to make it accessible from outside. This is achieved by the
following configuration file:
ListenHTTP
Address 0.0.0.0
Port 80
Service
Backend
Address 127.0.0.1
Port 8080
End
End
End
This configuration consists of three nested sections: 'ListenHTTP',
'Service', and 'Backend'. Each section ends with a keyword 'End' on a
line by itself.
The first thing that draws attention are 'Address' and 'Port'
statements appearing in both listener and backend sections. In
'ListenHTTP' they specify the IP address and port to listen on for
incoming requests. Address '0.0.0.0' stands for all available IP
addresses. In 'Backend' section, these keywords specify the address and
port of the remote server, where incoming requests are to be forwarded.
The 'Service' section has no matching conditions, so it will match
all requests.
4.1 Service Selection
=====================
To route requests to different servers, multiple services are used. In
this case, each service has one or more "matching rules", i.e.
statements that define conditions that a request must match in order to
be routed to that particular service. Syntactically, such rules have
the form:
KW [OPTIONS] "PATTERN"
where KW is a keyword specifying what part of the request is used in
comparison, PATTERN is a textual pattern which that part is matched
against, and OPTIONS are zero or more flags starting with a dash sign,
which define matching algorithm.
Perhaps the most often used condition is 'Host', which compares the
value of the HTTP 'Host' header with the given pattern. By default it
uses exact case-insensitive match:
Host "example.com"
To treat the pattern as a regular expression, use the '-re' option,
as in:
Host -re ".*\\.example\\.com"
Whenever we speak about regular expression we usually mean POSIX
extended regular expressions (*note POSIX extended regular expressions:
(sed)Extended regexps.). However, other regex types can also be used.
This is covered in *note Regular Expressions::.
Notice the use of double backslashes in the above example. The
backslash before each dot is needed to match it literally, while another
one protects the first one from being interpreted as an escape character
in string (*note Strings::).
Other useful options are '-beg' and '-end', which enable exact
matching at the beginning and end of the value, correspondingly. Thus,
the 'Host' statement above can be rewritten as:
Host -end ".example.com"
The set of options available for use in matching statements is
uniform. *Note Table 9.2: conditional-option, for a detailed discussion
of available options.
The following configuration snippet illustrates the use of matching
rules to select appropriate service (and, correspondingly, backend). It
will route all requests for 'www.example.com' to backend
'192.0.2.1:8080', and requests for 'admin.example.com' to
'192.0.2.4:8080':
ListenHTTP
Address 0.0.0.0
Port 80
Service
Host "www.example.com"
Backend
Address 192.0.2.1
Port 8080
End
End
Service
Host "admin.example.com"
Backend
Address 192.0.2.4
Port 8080
End
End
End
Other matching statements use POSIX regexp matching by default.
These are:
'Header'
Compare HTTP header against a pattern. E.g.
Header "Content-Type:[[:space:]]*text/.*"
'URL'
Match URL:
URL "/login/.*&name=.*"
'Path'
Match the path part of the URL:
Path -beg "/login"
'Query'
Match the query part of the URL.
'QueryParam'
Match the value of a query parameter. This statement takes two
arguments: parameter name and pattern, e.g.:
QueryParam "type" "(int)|(bool)"
*Note Service Selection Statements::, for a detailed description of
these and other matching statements.
Multiple matching rules can be used. Unless expressly specified
otherwise, they are joined by logical 'and' operation. For example:
Service
Host "www.example.com"
URL "^/admin(/.*)?"
Backend
Address 192.0.2.4
Port 8080
End
End
This service will be used for requests directed to host name
'www.example.com' whose URL begins with '/admin', optionally followed by
more path components (such as, e.g.
'http://www.example.com/admin/login').
To select a service that matches one of defined rules (i.e. combine
the rules using logical 'or'), enclose them in 'Match OR' block, as in:
Match OR
Host "example.com"
Host "www.example.com"
End
The argument to 'Match' can be 'OR' or 'AND', specifying logical
operation to be used to join the enclosed statements. The argument can
be omitted, in which case 'AND' is implied. 'Match' statements can be
nested to arbitrary depth, which allows for defining criteria of
arbitrary complexity. For example:
Service
Match OR
Host "admin.example.com"
Match AND
Host "www.example.com"
URL "^/admin(/.*)?"
End
End
Backend
Address 192.0.2.4
Port 8080
End
End
4.1.1 Regular Expressions
-------------------------
Request matching directives use POSIX extended regular expressions by
default. If 'pound' was compiled with 'PCRE' or 'PCRE2' library,
"Perl-compatible regular expressions" can be used instead. This can be
done either globally or individually for a given directive.
To change regular expression type globally, use the following
directive:
RegexType pcre
It affects all request matching directives that appear after it in
the configuration file, until next 'RegexType' directive or end of file,
whichever occurs first. To change back to POSIX regular expressions,
use 'posix' argument:
RegexType posix
Argument to the 'RegexType' directive is case-insensitive.
Regular expression type can also be selected individually for a
directive, using '-posix' or '-pcre' flags. For example:
Host -pcre -icase "(?
5.2 Redirect HTTP to HTTPS
==========================
Nowadays it is common to redirect all plain HTTP requests to HTTPS on
the same URL. The method of doing so was described in *note HTTP to
HTTPS: Redirects. As an example, this section shows a working HTTPS
configuration with such redirect.
ListenHTTP
Address 0.0.0.0
Port 80
Service
Redirect 301 "https://%[host]%[url]"
End
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/priv/example.pem"
Disable TLSv1
Service
Backend
Address 127.0.0.1
Port 8080
End
End
End
5.3 HTTPS backends
==================
Backends can use HTTPS as well. To inform 'pound' that communication
with the backend goes over an encrypted channel, use the 'HTTPS'
keyword. The typical usage is:
Backend
Address 192.0.2.1
Port 443
HTTPS
End
Notice, that unlike other statements, 'HTTPS' is used without
arguments.
Additional directives are available for fine-tuning the connection.
If used, they must appear after the 'HTTPS' directive,
The 'Cert' directive specify the client certificate to use when
connecting. Use it if the backend requires client authentication.
The 'Disable' and 'Ciphers' directives are similar to those described
when discussing 'ListenHTTPS': the former disables the given TLS
protocol and all protocols prior to it, and the latter configures the
list of OpenSSL ciphers which the client wishes to use. The actual
cipher to use will be selected from this list during negotiation with
the backend.
The example below illustrates the use of these directives:
Backend
Address 192.0.2.1
Port 443
HTTPS
Disable TLSv1_1
Cert "/etc/pound/crt/b1.pem"
Ciphers "HIGH:!RSA"
End
6 Request balancing
*******************
When several backends are defined in a service, incoming requests will
be distributed among them. This process is called "balancing". By
default, requests are distributed equally. This can be changed by
assigning them a "priority" - a decimal number which controls a relative
weight of the given backend in the distribution algorithm. The bigger
the priority is, the more requests this backend gets from the total
flow.
The distribution algorithm is defined by "balancing strategy". As of
version 4.13, 'pound' supports two strategies: "weighted random
balancing" and "interleaved weighted round robin balancing".
"Weighted Random Balancing"
This is the default strategy. Each backend is assigned a numeric
priority between 0 and 9, inclusive. The backend to use for each
request is determined at random taking into account backend
priorities, so that backends with numerically greater priorities
have proportionally greater chances of being selected than the ones
with lesser priorities.
The share of requests a backend receives can be estimated as:
P_{i} / S(P)
where P_{i} is the priority of the backend with index i, and S(P)
is the sum of all priorities.
"Interleaved Weighted Round Robin Balancing"
Requests are assigned to each backend in turn. Backend priorities,
or weights, are used to control the share of requests received by
each backend. The greater the weight, the more requests will be
sent to this backend. In general, the share of requests assigned
to a backend is calculated by the following relation:
(P_{i} + 1) / (N + S(P))
where N is total number of backends, and P_{i} and S(P) are as
discussed above.
Weighted random balancing is used by default. Each backend gets the
default priority 5, unless another value is expressly assigned using the
'Priority' statement, e.g.:
Service
Backend
Address 192.168.0.1
Port 80
Priority 1
End
Backend
Address 192.168.0.2
Port 80
Priority 9
End
End
In this example, backend '192.168.0.2' will receive roughly 9 times
more requests than backend '192.168.0.1'.
The balancing strategy to use is defined by the 'Balancer' keyword,
which can appear either in the global scope or within a 'Service'
section. Its argument can be one of:
'random'
Use weighted random balancing (default).
'iwrr'
Use interleaved weighted round robin balancing.
The 'Balancer' statement appearing in the global scope defines
balancing strategy for all services that don't have 'Balancer' statement
on their own.
6.1 Sessions
============
Some web applications attempt to introduce state persistence into the
stateless HTTP protocol, by defining "sessions" using various
mechanisms, such as specially defined headers, cookies, etc. For such
applications it is critical that all requests that belong to a single
"session" be directed to the same server, i.e. backend. Clearly, this
disrupts the balancer logic, and requires that the proxy be able to
understand the backend's notion of session.
'Pound' is able to detect and track sessions identified by client
address, Basic authentication (user id/password), URL parameter, cookie,
HTTP parameter, and HTTP header value.
Session tracking is enabled on a per-service basis by a 'Session'
section. The section must contain at least the 'Type' directive, which
specifies what type of session tracking to use, and the 'TTL' directive,
supplying session idle timeout in seconds.
Session types are case-insensitive. They are summarized in the table
below:
'IP'
The 'IP' session tracking type instructs 'pound' to forward all
requests from the same client IP address to the same backend
server:
Session
Type IP
TTL 300
End
'Basic'
Using this session tracking type, 'pound' parses the
'Authentication' header of each request. If the header is present,
and specifies the 'Basic' authentication type, user ID is extracted
from it. Requests with the same user ID are forwarded to the same
backend server.
Session
Type Basic
TTL 300
End
'URL'
This tracking scheme uses the value of URL query parameter to
define a session. The parameter name is supplied using the 'ID'
directive:
Session
Type URL
TTL 300
ID "sess"
End
In this example, sessions are identified by the 'sess' parameter,
The request URL might look like 'http://example.org?sess=123'.
'Cookie'
The 'Cookie' tracking type use a certain cookie to identify
sessions. The cookie name is given by the 'ID' directive:
Session
Type Cookie
TTL 300
ID "sess"
End
'Header'
Sessions are identified by the value of HTTP header whose name is
given by the 'ID' directive, e.g.:
Session
Type Header
ID "X-Session"
TTL 300
End
'Parm'
This is the least useful scheme. Sessions are identified by HTTP
parameter - a string that appears after a semicolon in the URL,
such as 'bar' in 'http://foo.com;bar'
Session
Type PARM
TTL 300
End
7 Worker model
**************
Each incoming request is processed by a specific "worker", i.e. a
thread in the running program. Total number of running workers is
controlled by three configuration parameters. 'WorkerMinCount' defines
the minimum number of workers that should always be running (5, by
default). Another parameter, 'WorkerMaxCount' sets the upper limit on
the number of running workers (it defaults to 128).
At each given moment, a worker can be in one of two states: "idle" or
"active" (processing a request). If an incoming request arrives when
all running workers are active, and total number of workers is less than
'WorkerMaxCount', a new thread is started and the new request is handed
to it. If the number of active workers has already reached maximum, the
new request is added to the "request queue", where it will wait for a
worker to become available to process it.
The third parameter, 'WorkerIdleTimeout', specifies maximum time a
thread is allowed to spend in the idle state. If a worker remains idle
longer than that and total number of workers is greater than the
allotted minimum ('WorkerMinCount'), this idle worker is terminated.
8 Logging
*********
'Pound' can send its diagnostic messages to standard error, syslog, or
to both.
Upon startup, while the configuration file is being parsed, the
diagnostics goes to the standard error. Once it switches to the
operation mode and starts serving requests, diagnostic output is
switched to syslog. The syslog facility to use is configured via the
'LogFacility' configuration directive. By default, 'daemon' is used.
When running in foreground mode, the '-e' command line option
instructs 'pound' to use standard error for logging, thus overriding the
settings from the configuration file.
Normally, 'pound' is not very loquacious in logging: only errors are
reported. Logging of each incoming request can be configured using the
'LogLevel' directive. It can be used either in listener scope, in which
case it affects only this particular listener, or in global scope, where
it affects all listeners that don't configure it on their own. The
value of this directive can be either an integer number in range 0
through 5 (inclusive), or a quoted string. Numeric value requests one
of the "built-in log formats". String value refers either to a built-in
format name, or to a user-defined format name.
The built-in formats are:
0
null
No request logging at all.
1
regular
For each request, its source address, request line and response
status are logged.
2
extended
In addition to the above, the selected service and backend are
shown.
3
vhost_combined
Detailed request logging using Apache-style "Combined" log format.
4
combined
Same as above, but without virtual host information.
5
detailed
Same as 'combined', with additional information about the selected
service and backend.
If the string argument to 'LogLevel' is not one of the above, it must
refer to the name of a "custom format", defined earlier using the
'LogFormat' statement. This statement takes two string arguments: the
name to be assigned to the new format, and its definition.
"Format definition" is a character string composed of ordinary
characters (not '%'), which are copied unchanged to the resulting log
message, and conversion specifications, each of which are replaced by a
corresponding piece of information about the request or reply.
Conversion specifications are single characters prefixed with a
percent sign. Depending on the specification, an optional "conversion
argument" in curly brackets may appear between '%' and conversion
character.
The following conversion characters are defined:
-- Format specifier: %%
Replaced with the percent sign.
-- Format specifier: %a
Originator IP address of the request. If the request contains
'X-Forwarded-For' header and 'TrustedIP' ACL is defined, the value
of the header is consulted to obtain the IP address. The value
must be a comma-delimited list of intermediate user-agent IP
addresses. To determine the actual user-agent IP, the list is
traversed from right to left, until an IP is found that is not
listed in 'TrustedIP' ACL.
If 'X-Forwarded-For' is not present, or 'TrustedIP' is not defined,
or the above algorithm does not return an IP address, '%a' expands
to the actual remote IP address the request came from (same as
'%h').
The 'TrustedIP' ACL can be defined in global scope, or in
'ListenHTTP' ('ListenHTTPS') section, or in 'Service' section.
Most-specific ACL overrides least-specific ones, that is a
'TrustedIP' defined in 'Service' will be used, if it is defined.
If not, the one defined in listener will be used, etc. The syntax
of the 'TrustedIP' statement is the same as that of 'ACL', i.e.
TrustedIP "NAME"
refers to the named ACL NAME (which must be defined earlier, *note
ACL::), and
TrustedIP
"CIDR0"
"CIDR1"
...
End
defines the list of trusted IPs in place.
If needed, the 'ForwardedHeader' statement may be used to declare
the name of the header to use instead of 'X-Forwarded-For'. As
'TrustedIP', this statement can appear in global, listener, or in
service scope.
-- Format specifier: %A
Local IP address of the listener.
-- Format specifier: %B
Size of response in bytes, excluding headers.
-- Format specifier: %b
Same as '%B', but in "CLF" format, i.e. a dash is used when
response size is zero.
-- Format specifier: %D
The time taken to serve the request, in microseconds.
-- Format specifier: %h
Client IP address of the request.
-- Format specifier: %H
The request protocol.
-- Format specifier: %{HDR}i
The contents of 'HDR:' header line in the request. Changes made by
header modification directives affect this.
-- Format specifier: %{HDR}I
Same as '%i', except that if no such header is present in the
request, a dash is substituted.
-- Format specifier: %{OBJ}L
Location of the 'pound' object that is involved in handling the
request. Valid values for OBJ are: 'listener', 'service', and
'backend'.
The location gives position in the configuration file where the
object was defined, and is formatted as
NAME:LN1.COL1-LN2.COL2
where NAME is the configuration file name, LN1 and COL1 are line
and column where the object definition begins, LN2 and COL2 are
line and column where it ends. Line and column numbers start with
1.
-- Format specifier: %m
The request method.
-- Format specifier: %{OBJ}N
Name of 'pound' object that is involved in handling the request.
Valid values for OBJ are: 'listener', 'service', and 'backend'.
-- Format specifier: %P
Thread ID of the serving thread.
-- Format specifier: %q
The query string (prepended with a '?') if it exists, otherwise an
empty string.
-- Format specifier: %r
First line of request.
-- Format specifier: %s
Response status code.
-- Format specifier: %>s
First line of the response.
-- Format specifier: %t
Time the request was received, in the format '[18/Sep/2011:19:18:28
-0400]'. The last number indicates the timezone offset from UTC.
-- Format specifier: %{FORMAT}t
Time the request was received, in the format specified by the
argument (*note Time and Date Formats::). If the format starts
with 'begin:' (default) the time is taken at the beginning of the
request processing. If it starts with 'end:', it is the time after
the response from the backend has been sent back to the requester.
In addition to 'strftime' formats, the following specifications are
recognized:
sec
Number of seconds since the Epoch.
msec
Number of milliseconds since the Epoch.
usec
Number of microseconds since the Epoch.
msec_frac
Millisecond fraction of the time.
usec_frac
Microsecond fraction of the time.
-- Format specifier: %T
The time taken to process the request, in seconds.
-- Format specifier: %{UNIT}T
The time taken to process the request, in a time unit given by
UNIT. Valid units are 'ms' for milliseconds, 'us' for
microseconds, 's' for seconds, and 'f' for seconds with fractional
part. Using 's' gives the same result as '%T' without any format;
using 'us' gives the same result as '%D'.
-- Format specifier: %u
Remote user if the request was authenticated.
-- Format specifier: %U
The URL path requested. This is affected by request modification
directives.
-- Format specifier: %v
The listener name.
The table below describes the built-in formats in terms of format
definitions:
0
null
""
1
regular
"%a %r - %>s"
2
extended
"%a %r - %>s (%{Host}i/%{service}N -> %{backend}N) %{f}T sec"
3
vhost_combined
"%{Host}I %a - %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""
4
combined
"%a - %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""
5
detailed
(Split in two lines for readability)
"%{Host}I %a - %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"
(%{service}N -> %{backend}N) %{f}T sec"
9 Configuration
***************
A configuration file provides 'pound' with the information necessary for
performing its tasks. Some configuration file statements can be
overridden from the command line.
9.1 Lexical structure
=====================
Lexically, the file contains tokens of three types: keywords, values,
and separators. Blanks, tabs, newlines and comments, collectively
called "white space" are ignored except as they serve to separate
tokens. Some white space is required to separate otherwise adjacent
keywords and values.
"Comments" may appear anywhere where white space may appear in the
configuration file. A comment begins with a hash sign ('#') and
continues to the end of the line.
A "keyword" is a sequence of ASCII letters, digits and underscores
that begins with an ASCII letter or underscore. Keywords are always
case-insensitive.
There are three kinds of "values": numeric values (or "numbers"),
boolean values, quoted strings, and IP addresses.
"Numbers"
A "numeric value" is a sequence of decimal digits.
"Booleans"
A "boolean" is one of the following: 'yes', 'true', 'on' or '1',
meaning "true", and 'no', 'false', 'off', '0' meaning "false".
"Strings"
A "quoted string" or "string", for short, is a sequence of
characters enclosed in a pair of double quotes. A backslash ('\')
appearing within a string acts as an "escape character": if it is
followed by a double-quote or another backslash, it forces the
character that follows it to be treated as an ordinary one. For
example:
"string with \" character"
A backslash followed by any character other than '"' or '\' is
removed and a warning to that effect is output. For example, the
following statement:
user "r\oot"
appearing at line 1 of file 'pound.cfg' will result in the
following message:
pound.cfg:1.8: unrecognized escape character
and will be treated as
user "root"
"IP addresses"
IP addresses are IPv4 or IPv6 addresses in numeric form, or
hostnames.
9.2 Syntax
==========
Syntactically, 'pound' configuration is a sequence of statements of two
kinds: simple and compound.
A "simple statement" or "directive" consists of a keyword followed by
a value, located on a single line. For example:
user "proxy"
There are some simple statements that don't take any value and thus
consist only of a keyword, e.g.
HTTPS
A "compound statement" or "section" encloses one or more other
statements (both simple or compound). It begins with a keyword,
optionally followed by a value, both located on a single line (similar
to simple directives), followed by any number of subordinate statements,
and ends with a keyword 'End' on a line by itself. For example:
Control
Socket "/run/pound.sock"
Mode 660
ChangeOwner true
End
Unless specified otherwise, directives may appear in any order.
9.3 String Expansions
=====================
String arguments to some configuration statements undergo several
"expansions" before use. The "backreference expansion" replaces special
notations in the string called "backreferences" with corresponding parts
of the request recently matched against a regular expression. The
"request accessor interpretation" inserts some fragments of the request
URL into the string.
These expansions are discussed in detail below.
9.3.1 Backreference expansion
-----------------------------
Backreference is a construct that refers to a "parenthesized group"
within a regular expression matched by one of service matching
directives (*note Service Selection Statements::). During backreference
expansion, each occurrence of such construct is replaced with the actual
value of that parenthesized group.
Syntactically, backreferences can take two forms. The construct
'$N', where N is a decimal number, refers to Nth parenthesized
subexpression of the most recently matched statement, and the construct
'$N(M)' refers to Nth parenthesized subexpression in the Mth recently
matched statement. Numbering of subexpressions starts at 1 ('$0' refers
to entire matching string). Numbering of matches starts at 0.
For example, given the following statements
Host -re "www\\.(.+)"
Header -re -icase "^Content-Type: *(.*)"
Path "^/static(/.*)?"
'$1' refers to the subgroup of 'Path', '$1(1)' refers to that of
'Header', and '$1(2)' to that of 'Host'.
Curly braces may be used to avoid incorrectly parsing text fragment
that follows the reference as being its part. This is useful if the
reference is immediately followed by a decimal digit or opening
parenthesis, as in: '${1}(text)'.
To insert a literal dollar or percent sign in the string, use '$$' or
'$%', correspondingly.
9.3.2 Request Accessor Interpretation
-------------------------------------
"Request accessor" is a syntactical construct of the form:
%[NAME]
where NAME denotes a part of the incoming request to access and square
brackets are part of the construct. Accessors are interpreted and
replaced with the value of the corresponding part of the request. Some
accessors take an argument, which is specified after accessor name and
is delimited from it by one or more whitespace characters.
The following accessors are defined:
-- Accessor: url
Request URL.
-- Accessor: path
Request path.
-- Accessor: query
Query part.
-- Accessor: param NAME
The value of the query parameter NAME.
-- Accessor: header NAME
The value of HTTP header NAME.
-- Accessor: host
Hostname part of the HOST header. If the latter does not include
port number, it is equivalent to '%[header host]'.
-- Accessor: port
If the value of the 'Host' header includes port number, '%[port]'
expands to port number with the leading colon character.
Otherwise, it expands to empty string.
9.4 Global directives
=====================
Global directives configure the program operation as a whole. They may
appear anywhere at the global scope of the configuration file, although
it is customary for them to be at its start.
9.4.1 Runtime directives
------------------------
-- Global directive: Daemon BOOL
When set to 'true' (the default), 'pound' will detach itself from
the controlling terminal after successful parsing of the
configuration file and continue operating in the background.
When set to 'false', 'pound' will continue operating in the
foreground.
This setting can be overridden by the '-F' and '-e' command line
options.
-- Global directive: Group "GROUP_NAME"
Sets the group 'pound' will run as. If not set, the primary group
of the user (as set by the 'User' directive) will be used.
-- Global directive: PIDFile "FILENAME"
Sets the name of the file where to store program PID. This can be
also be set from command line, using '-p' command line option
(*note Usage::).
Notice the following:
1. When running with a supervisor, this file holds PID of the
supervisor process. Otherwise, it holds PID of the main This
means it is always suitable for signalling the program using
the traditional 'kill `cat filename`' technique.
2. Before shutting down, 'pound' removes this file. However, it
may fail to do so if it switches to privileges of another user
after startup (at least one of 'User' or 'Group' are set in
the configuration file) and the file is stored in a directory
whose permissions forbid write access for that user.
-- Global directive: Supervisor BOOL
When running in daemon mode, start a "supervisor" process. This
process, in turn, will start main 'pound' process and will further
monitor it, restarting it if it fails.
The default is 'true'.
-- Global directive: RootJail "DIRECTORY"
If this directive is present, 'pound' will use the system 'chroot'
call to set the root directory of the process to that specified by
DIRECTORY. After that, the program won't be able to access any
files outside that directory.
Before chrooting, 'pound' makes the necessary preparations to be
able to access the files it needs during operation, in particular
user databases supplied with the 'BasicAuth' statements (*note
Authentication::).
-- Global directive: User "USER_NAME"
Configures the user 'pound' will run as.
9.4.2 Worker Settings
---------------------
-- Global directive: WorkerMinCount N
Sets minimum number of worker threads that must always be running.
The default is 5. *Note Worker model::.
-- Global directive: WorkerMaxCount N
Sets maximum number of worker threads. The default is 128. *Note
Worker model::.
-- Global directive: WorkerIdleTimeout N
Sets idle timeout for a worker thread, in seconds. Default is 30
seconds. *Note Worker model::.
-- Global directive: Threads N
This statement, retained for backward compatibility with previous
versions of pound, is equivalent to:
WorkerMinCount N
WorkerMaxCount N
9.4.3 Proxy Tuning Directives
-----------------------------
-- Global directive: BackendStats BOOL
Whether to enable backend statistics collection. Backend
statistics consists of the following values:
1. Total number of requests processed by this backend.
2. Average time per request.
3. Standard deviation of the average time per request.
If enabled, these values are made available via 'poundctl' (*note
poundctl list::) and telemetry output (*note Metrics::).
-- Global directive: Balancer ALGO
Sets the request balancing algorithm to use. Allowed values for
ALGO are:
random
Use weighted random balancing algorithm.
iwrr
Use interleaved weighted round robin balancing.
*Note Balancer::, for a detailed discussion of these algorithms.
The 'Balancer' statement in global scope applies to all 'Service'
definitions in the file that don't contain 'Balancer' definitions
of their own.
-- Global directive: HeaderOption OPT ...
Sets default header addition options. One or more arguments are
allowed, each being one of:
'off'
Disable additional headers.
'forwarded'
Add 'X-For-warded-For', 'X-Forwarded-Proto', and
'X-Forwarded-Port' headers.
'ssl'
Pass information about SSL certificates in a set of 'X-SSL-*'
headers. This will add the following headers:
X-SSL-Cipher
SSL version followed by a slash and active cipher
algorithm.
X-SSL-Certificate
The full client certificate (multi-line).
X-SSL-Issuer
Information about the certificate issuer (CA).
X-SSL-Subject
Information about the certificate owner.
X-SSL-notAfter
End of validity date for the certificate.
X-SSL-notBefore
Start of validity date for the certificate.
X-SSL-serial
Certificate serial number (in decimal).
The default is:
HeaderOption forwarded ssl
This setting can be overridden for a particular listener using the
'HeadOption' within it.
9.4.4 SSL Settings
------------------
-- Global directive: SSLEngine "NAME"
Use an OpenSSL hardware acceleration card called NAME. Available
only if OpenSSL-engine is installed on your system.
-- Global directive: ECDHcurve "NAME"
Use the named curve for elliptical curve encryption.
9.4.5 Regular Expression Settings
---------------------------------
-- Global directive: RegexType TYPE
Sets the type of regular expressions to use in request matching
statements. Allowed values for TYPE are: 'posix' and 'pcre' (or
'perl'), case-insensitive. The latter requires compilation time
support.
The selected regular expression type remains in effect for all
request matching directives that follow this statement, until next
'RegexType' statement or end of the configuration file, whichever
occurs first.
Regular expression type can be set individually for a directive,
using the '-pcre' or '-posix' option (*note Table 9.2:
conditional-option.).
*Note Regular Expressions::, for a detailed discussion.
-- Global directive: IgnoreCase BOOL
Ignore case when doing regex matching (default: 'false'). This
directive sets the default for the following service matching
directives: 'URL', 'Path', 'QueryParam', 'Query', 'StringMatch', as
well as for the 'DeleteHeader' modification directive. Its value
can be overridden for specific services.
This statement is deprecated and will be removed in future
versions. Please, use the '-icase' option to the matching
directive instead (*note Table 9.2: conditional-option.).
9.4.6 ACL Definition
--------------------
-- Global directive: ACL "NAME"
Define a "named access control list". An "ACL" is a list of
network addresses in CIDR notation, one address per line,
terminated with an 'End' directive on a line by itself. E.g.:
ACL "secure"
"192.0.2.0/26"
"203.0.113.0/24"
End
The 'Include' directive is allowed within the ACL section. Named
ACLs can be used in 'Service' definitions to limit access to
services from certain IP addresses only. *Note ACL::, for a
detailed discussion of this.
9.5 File inclusion
==================
-- Global directive: Include "FILE"
Include FILE as if it were part of the configuration file. If FILE
is a relative file name, it will be looked in the "include
directory" (see below).
This directive is allowed both at topmost level and in any
subsections of the configuration file.
-- Global directive: IncludeDir "DIR"
Set the "include directory", i.e. the directory where 'pound'
looks for relative file names that appear in other configuration
directives: 'Include', 'BasicAuth', 'ErrorFile' (or 'Err400'
through 'Err503'), as well as in the argument to '-file' option in
service matching directives (*note -file::).
The default value is the system configuration directory as set at
compile time (you can check its value in the output of 'pound -V').
This initial value can be changed in the command line using the '-W
include-dir=DIR' command line option or reset to the current
working directory using the '-W no-include-dir' option (*note
Usage::).
9.6 Logging configuration
=========================
-- Global directive: LogFacility NAME
-- Global directive: LogFacility -
Sets the 'syslog' facility to use for logging. Allowed names are:
'auth', 'authpriv', 'cron', 'daemon', 'ftp', 'kern', 'lpr'.
'mail', 'news', 'user'. 'uucp', and 'local0' through 'local7'.
The second form configures "default log destination". If 'pound'
runs in foreground, log messages with priority 'LOG_DEBUG' and
'LOG_INFO' go to stdout, and messages with the remaining priorities
are printed to stderr. If 'pound' runs as a daemon, log messages
go to the syslog facility 'daemon'.
-- Global directive: LogFormat "NAME" "FORMAT_DEF"
Define request logging format. NAME is a string uniquely
identifying this format, and FORMAT_DEF is the format string
definition. *Note Logging::, for a detailed description of format
definition syntax.
-- Global directive: LogLevel "NAME"
-- Global directive: LogLevel N
Specify the format to use to log HTTP requests. NAME is a name of
a custom format, defined earlier using the 'LogFormat' directive,
or one of six built-in format names.
If numeric argument is used, it refers to a built-in format by its
number (0 through 5).
*Note Logging::, for a detailed description of HTTP request
logging.
-- Global directive: LogTag "STRING"
Sets the string to tag syslog messages with. By default, it is the
name of the program (more precisely, the name which was used to
start it).
-- Global directive: ForwardedHeader "NAME"
Defines the name of the HTTP header that carries the list of
proxies the request has passed through. Default value is
'X-Forwarded-For'. This header is used to determine the originator
IP address for logging. *Note %a::, for details.
-- Global directive: TrustedIP
Defines a list of "trusted proxy" IP addresses, which is used to
determine the originator IP. *Note %a::, for details.
This statement is a special form of 'ACL' statement, described
below. It can appear in two forms: as a "section" or as a
"directive". When used as a section, it is followed by a list of
one or more CIDRs each appearing on a separate line. The 'End'
keyword terminates the statement, e.g.:
TrustedIP
"127.0.0.1/8"
"10.16.0.0/16"
End
In directive form, this statement takes a single argument, the name
of an access control list defined earlier using the 'ACL'
statement, e.g.
TrustedIP "proxy_addresses"
-- Global directive: Anonymise
-- Global directive: Anonymize
When logging, replace the last byte of client IP addresses with 0.
Default: log the client address in full.
9.7 Control socket settings
===========================
'Pound' can be instructed to listen on a UNIX socket for management
requests, which will allow you to obtain information about the running
instance, change state of configured listeners, services, and backends,
etc. These requests are normally issued by the poundctl utility (*note
poundctl::).
Properties of this "control socket" are configured via the 'Control'
statement. It has two forms: "directive" and "section".
-- Global directive: Control "FILENAME"
Create a UNIX socket FILENAME and listen on it for management
requests. The file will be owned by the user that started 'pound'
(normally 'root') and have mode 0600.
In section form, the 'Control' statement allows for specifying file
mode and, to certain extent, socket file ownership. The section can
contain the following statements:
-- Control statement: Socket "FILENAME"
Specifies the name of the socket file to use. This is the only
mandatory statement in the section form.
-- Control statement: Mode OCTAL
Sets the mode of the socket file.
-- Control statement: ChangeOwner BOOL
This statement takes effect if at least one of 'User' or 'Group'
global statements is used. When set to 'true' it will change the
owner of the socket file to that specified by those two statements.
An example of using the 'Control' section:
Control
Socket "/run/pound.sock"
Mode 660
ChangeOwner true
End
9.8 Timeouts
============
Directives discussed in this section set various timeout values. Their
argument is an integer expressing the value in seconds.
-- Global directive: Alive N
Specify how often should 'pound' check for the status of backend
servers marked as "dead" (i.e. inaccessible). It is a good idea
to set this as low as possible - it will find resurrected hosts
faster. However, if you set it too low it will consume resources.
Default is 30 seconds.
-- Global directive: Client N
Specify for how long 'pound' will wait for a client request
(default: 10 seconds). It will drop the connection if client
doesn't send any data within this interval.
This value can be overridden for specific listeners.
-- Global directive: TimeOut N
Specify for how long 'pound' will wait for the backend to respond
(default: 15 seconds).
This value can be overridden for specific backends.
-- Global directive: ConnTO N
Specify for how long 'pound' will wait for a connection to a
backend to be established. Default is the same as the 'TimeOut'
value.
This value can be overridden for specific backends.
-- Global directive: WSTimeOut N
Specify for how long 'pound' will wait for data from either backend
or client in a connection upgraded to WebSocket protocol. Default
is 600 seconds.
This value can be overridden for specific backends.
-- Global directive: Grace N
How long should 'pound' continue to answer existing connections
after a receiving a 'INT' or 'HUP' signal (default: 30 seconds).
The configured listeners are closed immediately. You can bypass
this behaviour by stopping 'pound' with a 'TERM' or 'QUIT' signal,
in which case the program exits without any delay.
9.9 ListenHTTP
==============
The 'ListenHTTP' section declares a listener operating in plaintext HTTP
mode. The section declaration begins with the keyword 'ListenHTTP'
optionally followed by a string supplying symbolic name for that
listener, e.g.:
ListenHTTP "main"
...
End
The symbolic name can be used in log messages (*note '%{OBJ}N': log
format.) and in 'poundctl' (*note poundctl::) requests to identify that
listener. If the name is not supplied, the listener can be identified
by its ordinal number (0-based) in the configuration file.
9.9.1 Listener address
----------------------
-- ListenHTTP directive: Address ADDRESS
The IP address that 'pound' will listen on. This can be a numeric
IPv4 or IPv6 address, a symbolic host name that must be resolvable
at runtime (unless the '-Wno-dns' option is used), or a full
pathname of a UNIX socket. To listen on all available interfaces,
use '0.0.0.0'.
Either 'Address' or 'SocketFrom' (see below) must be present in
each 'ListenHTTP' section.
-- ListenHTTP directive: Port N
The port number or service name (as per '/etc/services' that this
listener will listen on. This directive must be present, unless
the 'Address' directive specifies a UNIX socket.
-- ListenHTTP directive: SocketFrom "PATHNAME"
Read the socket to listen on from the UNIX socket supplied by
PATHNAME. If this parameter is supplied, neither 'Address' nor
'Port' may be used. This parameter is intended for use in 'pound'
testsuite.
9.9.2 Listener-specific limits
------------------------------
-- ListenHTTP directive: Client N
Specify for how long 'pound' will wait for a client request
(default: 10 seconds). It will drop the connection if client
doesn't send any data within this interval.
This statement overrides the global timeout value (*note
Timeouts::) for this particular listener.
-- ListenHTTP directive: MaxRequest N
Limits the maximum allowed size of incoming requests. A request
bigger than that will be responded with status 413.
By default, there is no limit on the request size.
-- ListenHTTP directive: MaxURI N
Limits the maximum allowed length of incoming request URI. A
request with an URI longer than that will be responded with status
414.
By default, there is no limit on the URI length.
-- ListenHTTP directive: CheckURL "PATTERN"
Define a pattern that must be matched by each request sent to this
listener. A request that does not match will be returned a 501
status.
-- ListenHTTP directive: xHTTP N
Defines which HTTP method are accepted. The possible values are:
0
Accept only standard HTTP methods: 'GET', 'POST', 'HEAD'.
This is the default.
1
Allow also extended HTTP methods: 'PUT', 'PATCH', 'DELETE'.
2
Additionally allow standard WebDAV methods: 'LOCK', 'UNLOCK',
'PROPFIND', 'PROPPATCH', 'SEARCH', 'MKCOL', 'MOVE', 'COPY',
'OPTIONS', 'TRACE', 'MKACTIVITY', 'CHECKOUT', 'MERGE',
'REPORT'.
3
Additionally allow MS extension WebDAV methods: 'SUBSCRIBE',
'UNSUBSCRIBE', 'NOTIFY', 'BPROPFIND', 'BPROPPATCH', 'POLL',
'BMOVE', 'BCOPY', 'BDELETE', 'CONNECT'.
9.9.3 Error definitions
-----------------------
When 'pound' returns an error status, it uses built-in error-specific
description code and status page template. These values can be
customized using the 'ErrorFile' statement.
-- ListenHTTP directive: ErrorFile CODE "FILENAME"
Read HTML page for HTTP status code CODE from file FILENAME.
The CODE argument is a three-digit HTTP response status, and
FILENAME is the name of a file which supplies text of the error
page to be returned. The file is read once, at program startup.
For compatibility with 'pound' versions up to 4.11, the following
statement is also recognized:
ErrNNN "FILENAME"
where NNN is a three-digit HTTP status code. This statement is entirely
equivalent to
ErrorFile NNN "FILENAME"
'Pound' produces only a subset of all possible status codes, so not
all NNN codes are allowed. The discussion below lists available HTTP
codes, along with the error description and default error page text.
-- HTTP status: 400
'Bad Request'
Your browser (or proxy) sent a request that this server could
not understand.
-- HTTP status: 401
'Unauthorized'
This server could not verify that you are authorized to access
the document requested. Either you supplied the wrong
credentials (e.g., bad password), or your browser doesn't
understand how to supply the credentials required.
-- HTTP status: 403
'Forbidden'
You don't have permission to access this resource. It is
either read-protected or not readable by the server.
-- HTTP status: 404
'Not Found'
The requested URL was not found on this server.
-- HTTP status: 405
'Method Not Allowed'
The request method is not supported for the requested
resource.
-- HTTP status: 413
'Payload Too Large'
The request content is larger than the proxy server is able to
process.
-- HTTP status: 414
'URI Too Long'
The length of the requested URL exceeds the capacity limit for
this server.
-- HTTP status: 500
'Internal Server Error'
The server encountered an internal error and was unable to
complete your request.
-- HTTP status: 501
'Not Implemented'
The server does not support the action requested.
-- HTTP status: 503
'Service Unavailable'
The server is temporarily unable to service your request due
to maintenance downtime or capacity problems. Please try
again later.
9.9.4 Listener logging
----------------------
Following statements are similar to the ones described in *note Logging
configuration::, but apply only to the listener they appear in.
-- ListenHTTP directive: LogLevel "NAME"
-- ListenHTTP directive: LogLevel N
Specify the format to use to log HTTP requests. NAME is a name of
a custom format, defined earlier using the 'LogFormat' directive,
or one of six built-in format names.
If numeric argument is used, it refers to a built-in format by its
number (0 through 5).
*Note Logging::, for a detailed description of HTTP request
logging.
-- ListenHTTP directive: ForwardedHeader "NAME"
Defines the name of the HTTP header that carries the list of
proxies the request has passed through. Default value is
'X-Forwarded-For'. This header is used to determine the originator
IP address for logging. *Note %a::, for details.
-- ListenerHTTP directive: TrustedIP
Defines a list of "trusted proxy" IP addresses, which is used to
determine the originator IP. *Note %a::, for details.
9.9.5 Request Modification
--------------------------
The statements discussed in this subsection modify incoming requests
prior to passing them to the backend. These same set of statements can
also be used in 'Service' section (*note Service::). When appearing in
both sections, the directive from 'ListenHTTP' ('ListenHTTPS') section
are applied first, followed by directives from the 'Service' section.
Directives from the same section are applied in order of their
appearance.
-- ListenerHTTP directive: RewriteDestination BOOL
If set to 'true', the 'Destination:' request header will be changed
to point to the backend with the correct protocol.
-- ListenerHTTP directive: SetURL "URL"
Set the URL of the incoming request to URL.
-- ListenerHTTP directive: SetPath "VALUE"
Set the path part of the URL to the given string.
-- ListenerHTTP directive: SetQuery "VALUE"
Set the query part of the URL to the given string. VALUE must be a
valid query with the special characters properly encoded using
percent encoding.
-- ListenerHTTP directive: SetQueryParam "NAME" "VALUE"
Set the query parameter NAME to the VALUE. Value must be properly
encoded if it contains reserved characters.
-- ListenerHTTP directive: SetHeader "NAME: VALUE"
-- ListenerHTTP directive: HeaderAdd "NAME: VALUE"
-- ListenerHTTP directive: AddHeader "NAME: VALUE"
Sets the HTTP header. If the header NAME already exists, it will
be overwritten. Otherwise, new header will be added to the end of
the header list.
The 'HeaderAdd' and 'AddHeader' forms are retained for backward
compatibility with earlier 'pound' versions. You are advised
against using them.
-- ListenerHTTP directive: DeleteHeader [OPTIONS] "PATTERN"
Remove from the request all headers matching PATTERN. The
'HeaderRemove' and 'HeadRemove' forms are retained for backward
compatibility with earlier 'pound' versions. You are advised
against using them.
By default, PATTERN is treated as extended POSIX regular
expression. The OPTIONS argument can be used to alter this. It
consists of zero or more option flags from the following list:
Flag Meaning
--------------------------------------------------------------------------
'-beg' Exact match at the beginning of string (prefix
match).
'-case' Case-sensitive comparison.
'-contain' Delete each header where "PATTERN" is a
substring.
'-end' Exact match at the end of string (suffix match).
'-exact' Use exact string match.
'-icase' Case-insensitive comparison.
'-pcre' Use Perl-compatible regular expression.
*note Regular Expressions::.
'-perl' Same as '-pcre'.
'-posix' Use POSIX extended regular expression.
*note Regular Expressions::.
'-re' Use regular expression match. This assumes the
default regular expression type, as set by the
'RegexType' directive
(*note Regular Expressions::).
Table 9.1: Header matching flags for 'DeleteHeader' directive
The following options are mutually exclusive: '-beg', '-contain',
'-end', '-exact', '-pcre' ('-perl'), '-posix', '-re'. If more than
one of these are used, the last one takes effect.
-- ListenerHTTP directive: HeaderRemove "PATTERN"
-- ListenerHTTP directive: HeadRemove "PATTERN"
These are obsolete keywords, equivalent to
DeleteHeader -icase "PATTERN"
9.9.5.1 The 'rewrite' statement
...............................
The 'Rewrite' block statement associates one or more header modification
directives discussed above with "request matching directives", so that
request modification takes place only when the request matches certain
conditions.
Syntactically, a 'Rewrite' section is:
Rewrite [ request ]
CONDITIONAL_DIRECTIVES...
MODIFICATION_DIRECTIVES...
[ Else
CONDITIONAL_DIRECTIVES...
MODIFICATION_DIRECTIVES... ]
End
where CONDITIONAL_DIRECTIVES represents one or more "request
conditionals" described below and MODIFICATION_DIRECTIVES stands for one
or more header modification directives. The 'Else' part is optional;
any number of 'Else' blocks can be supplied, thus providing for
conditional branching.
The 'Rewrite' statement is processed sequentially until a branch is
found whose CONDITIONAL_DIRECTIVES yield 'true', or 'End' is
encountered. If a matching branch is found, its MODIFICATION_DIRECTIVES
are applied to the request.
"Request matching directives" or "request conditionals" are special
statements that, being applied to a HTTP request, yield 'true' or
'false' depending on whether the request satisfies the condition
described in the directive. The following conditionals are available:
-- Request Conditional: ACL "NAME"
Returns 'true' if the source IP matches one of the CIDRs from the
named access control list NAME. The ACL itself must have been
defined earlier (*note ACL definition::).
*Note ACL::, for a detailed discussion.
-- Request Conditional: ACL
This statement defines an unnamed ACL to match the source IP
against. This line must be followed by one or more lines defining
CIDRs, as described in *note ACL definition::. The ACL definition
is finished with an 'End' keyword on a line by itself.
Semantically, this statement is equivalent to the named ACL
reference described above.
*Note ACL::, for a detailed discussion.
-- Request Conditional: BasicAuth "FILENAME"
Evaluates to 'true', if the incoming request passes basic
authorization as described in RFC 7617. FILENAME is the name of a
plain text file containing usernames and passwords, created with
'htpasswd' or similar utility. Unless the name starts with a
slash, it is taken relative to the 'IncludeDir' directory (*note
include directory::). The file is cached in the memory on the
first authorization attempt, so that further authorizations do not
result in disk operations. The file will be re-scanned if 'pound'
notices that its modification time has changed.
*Note Authentication::.
-- Request Conditional: Header [OPTIONS] "PATTERN"
Yields 'true', if the request contains at least one header matching
the given PATTERN. By default, PATTERN is treated as
case-insensitive POSIX extended regular expression. This can be
changed by OPTIONS, described below.
-- Request Conditional: Host [OPTIONS] "HOSTNAME"
Evaluates to 'true', if the 'Host' header matches HOSTNAME. In the
absence of OPTIONS, case-insensitive exact match is assumed, i.e.
this construct is equivalent to
Header "Host:[[:space:]]*QHOST"
where QHOST is the HOSTNAME argument in quoted form, i.e. with all
characters that have special meaning in regular expressions
escaped.
*Note Table 9.2: conditional-option, for a detailed discussion of
OPTIONS and their effect on matching.
This statement is provided to facilitate handling of "virtual
hosts". *Note Service selection::, for details.
-- Request Conditional: Path [OPTIONS] "PATTERN"
Returns 'true', if the path part of the incoming request matches
PATTERN.
-- Request Conditional: Query [OPTIONS] "PATTERN"
Returns 'true', if the query part of the incoming request matches
PATTERN. The argument must be properly percent-encoded, if it
contains whitespace or other non-printable characters.
-- Request Conditional: QueryParam "NAME" [OPTIONS] "PATTERN"
Returns 'true', if the value of the query parameter NAME matches
PATTERN.
*Note Table 9.2: conditional-option, for a detailed discussion of
OPTIONS and their effect on matching.
-- Request Conditional: StringMatch "STRING" [OPTIONS] "PATTERN"
Expands STRING as described in *note String Expansions:: and
matches the resulting value against PATTERN.
-- Request Conditional: URL [OPTIONS] "PATTERN"
Matches URL of the request. PATTERN is treated as case-sensitive
extended regular expression, unless instructed otherwise by OPTIONS
(see below).
In these directives, OPTIONS is a whitespace-delimited list of zero
or more flags from the following table:
Flag Meaning
--------------------------------------------------------------------------
'-beg' Exact match at the beginning of string (prefix
match).
'-case' Case-sensitive comparison.
'-contain' Match if PATTERN is a substring of the original
value.
'-end' Exact match at the end of string (suffix match).
'-exact' Use exact string match.
'-file' Treat PATTERN as the name of a file to read
patterns from. If the name is relative, it will
be looked up in the *note include directory::.
Patterns are read from the file line by line.
Leading and trailing whitespace is removed.
Empty lines and comments (lines starting with
'#') are ignored.
'-icase' Case-insensitive comparison.
'-pcre' Use Perl-compatible regular expression.
*note Regular Expressions::.
'-perl' Same as '-pcre'.
'-posix' Use POSIX extended regular expression.
*note Regular Expressions::.
'-re' Use regular expression match. This assumes the
default regular expression type, as set by the
'RegexType' directive
(*note Regular Expressions::).
Table 9.2: Conditional directive flags
The following options are mutually exclusive: '-beg', '-contain',
'-end', '-exact', '-pcre' ('-perl'), '-posix', '-re'. If more than one
of these are used, the last one takes effect.
Placing the keyword 'Not' before a header matching directive reverts
its meaning. For example, the following will match any request whose
URL does not begin with '/static/':
Not URL -beg "/static/"
The 'Match' block statement can be used to join multiple header
matching directives. Its syntax is:
Match OP
...
End
where ... stands for any number of matching directives, and OP is a
boolean operation: 'AND' or 'OR' (case-insensitive). For example, the
statement
Match OR
Host "www.example.net"
Path -beg "/ssl"
End
will match if the request 'Host' header has the value 'www.example.net',
or the path part of its URL starts with '/ssl'. In contrast, the
statement below:
Match AND
Host "www.example.net"
Path -beg "/ssl"
End
will match only if both these conditions are met. As a syntactical
short-cut, two or more matching statements appearing outside of 'Match'
are joined by an implicit logical 'AND', so that the latter example is
equivalent to:
Host "www.example.net"
Path -beg "/ssl"
The 'Match' statement, like any other matching directive, can be
prefixed with 'Not', which reverts its meaning.
9.9.6 Response Modification
---------------------------
-- ListenerHTTP directive: RewriteLocation N
This statement controls whether 'Location:' and 'Content-location:'
headers in HTTP responses are modified before sending them back to
the client.
If N is 0, both headers are left intact.
If N is 1, the headers are changed as follows. If they point to
the backend itself or to the listener (but with the wrong
protocol), the request host name will be used instead. This is the
default.
If N is 2, do the same, but compare only the backend address; this
is useful for redirecting a request to an HTTPS listener on the
same server as the HTTP listener.
To check whether the location points to the listener or to the
backend, its hostname part is resolved and the obtained IP address
(or addresses) are compared with that of listener or backend. This
process is affected by the 'dns' feature setting (*note dns::). If
it is disabled ('-W no-dns' option is given), no resolving takes
place. In this case the location is deemed to point to the
listener if its hostname part matches that of the incoming request.
For backends, the hostname is compared with the value of the
'ServerName' setting of that backend (*note ServerName::), if any.
9.9.6.1 The 'Rewrite response' statement.
.........................................
A special form of the 'Rewrite' statement is provided for modifying
headers in the response obtained from a regular backend or generated
with a 'Error' backend, before sending them back to the requesting
server:
Rewrite response
CONDITIONAL_DIRECTIVES...
MODIFICATION_DIRECTIVES...
[ Else
CONDITIONAL_DIRECTIVES...
MODIFICATION_DIRECTIVES... ]
End
The conditional directives allowed for use in this statement are:
-- Rewrite response conditional: Header [OPTIONS] "PATTERN"
Returns 'true', if the response contains at least one header
matching the given PATTERN.
-- Rewrite response conditional: StringMatch "STRING" [OPTIONS]
"PATTERN"
Expands STRING as described in *note String Expansions::, and
matches the resulting value against PATTERN.
Both conditionals treat their PATTERN argument as case-insensitive
POSIX extended regular expression. *Note Table 9.2: conditional-option,
for a discussion of available OPTIONS.
The following "response modification" directives are defined:
-- Response modification: DeleteHeader [OPTIONS] "PATTERN"
Remove matching headers from the response. By default, PATTERN is
treated as extended POSIX regular expression. Use OPTIONS to alter
this behavior. *Note Table 9.1: deleteheader-option, for a list of
available options.
-- Response modification: SetHeader "NAME: VALUE"
Sets the HTTP response header. Argument undergoes string expansion
(*Note String Expansions::). If the header NAME already exists, it
will be overwritten. Otherwise, new header will be added to the
end of the header list.
9.9.7 Service definitions
-------------------------
The 'Service' section defines rules that decide to which backend to
route requests received by that listener. Any number of 'Service'
section can be present. When a request is received, the listener
iterates over all services in the order of their appearance in the
configuration and applies the section rules to the request. If the
rules match the request, the request is forwarded to the backend defined
in that section.
*Note Service::, for a detailed discussion of the 'Service'
statement.
-- ListenHTTP statement: ACME DIR
This statement defines a special service with a built-in backend
for handling 'ACME' challenge requests. *Note ACME::, for a
detailed discussion of its use.
The DIR argument defines the directory where to look for challenge
files.
9.10 ListenHTTPS
================
The 'ListenHTTPS' section defines a listener that operates in HTTPS. The
section declaration begins with the keyword 'ListenHTTPS' optionally
followed by a string supplying symbolic name for that listener:
ListenHTTPS "main"
...
End
The purpose of the symbolic name is the same as in 'ListenHTTP'
statement. All keywords defined for 'ListenHTTP' can be used for
'ListenHTTPS' as well. *Note ListenHTTP::, for a detailed discussion of
these.
Statements specific for this section are:
-- ListenHTTPS: Cert "FILENAME"
Specifies the server "certificate". FILENAME is either a
certificate file name, or the name of a directory containing
certificate files.
A "certificate file" is a file containing the certificate, possibly
a certificate chain and the signature for this server, in that
order.
This directive is mandatory within 'ListenHTTPS'.
Multiple 'Cert' directives are allowed. If multiple directives are
used, the first one is the default certificate, with additional
certificates used if the client requests them.
The ordering of the directives is important: the first certificate
where the CN matches the client request will be used, so put your
directives in the most-specific-to-least specific order (i.e.
wildcard certificates after host-specific certificates).
'Cert' directives must precede all other SSL-specific directives.
-- ListenHTTPS: ClientCert MODE DEPTH
Specifies whether the listener must ask for the client's HTTPS
certificate. Allowed values for MODE are:
0. Never ask for the certificate (the default).
1. Ask for the client certificate.
2. Ask and fail, if no certificate was presented.
3. Ask but do not verify.
DEPTH is the depth of verification for a client certificate (up to
9). The default depth limit is 9, allowing for the peer
certificate and additional 9 CA certificates that must be verified.
-- ListenHTTPS: Disable PROTO
Disable the SSL protocol PROTO and all lower protocols as well.
Allowed values for PROTO are: 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1',
'TLSv1_2'.
For example:
Disable TLSv1
This disables SSLv2, SSLv3 and TLSv1, thus allowing only TLSv1_1
and TLSv1_2.
-- ListenHTTPS: Ciphers "CIPHER_LIST"
This is the list of ciphers that will be accepted by the SSL
connection; it is a string in the same format as in 'OpenSSL'
'ciphers' and 'SSL_CTX_set_cipher_list' functions.
-- ListenHTTPS: SSLHonorCipherOrder BOOL
If set 'true', the server will broadcast a preference to use
ciphers in the order supplied in the 'Ciphers' directive. If the
value is 'false', the server will accept any cipher from the
'Ciphers' list. Default value is 'false'.
-- ListenHTTPS: SSLAllowClientRenegotiation MODE
If MODE is 0, client initiated renegotiation will be disabled.
This will mitigate DoS exploits based on client renegotiation,
regardless of the patch status of clients and servers related to
"Secure renegotiation". If MODE is 1, secure renegotiation is
supported. If MODE value is 2, insecure renegotiation is
supported.
The default value is 0.
-- ListenHTTPS: CAlist "FILENAME"
Set the list of trusted CA's for this server. The FILENAME is the
name of a file containing a sequence of CA certificates (in PEM
format). The names of the defined CA certificates will be sent to
the client on connection.
-- ListenHTTPS: VerifyList "FILENAME"
Set the certificate authority list. The FILENAME is the name of a
file with CA root certificates, in PEM format.
_Please note_, that there is an important difference between the
'CAlist' and the 'VerifyList'. The 'CAlist' tells the client (browser)
which client certificates it should send. The 'VerifyList' defines
which CAs are actually used for the verification of the returned
certificate.
-- ListenHTTPS: CRLlist "FILENAME"
Set the "Certificate Revocation List" file. FILENAME is the name
of a file that contains the CRLs (in PEM format).
-- ListenHTTPS: NoHTTPS11 MODE
Behave like an 'HTTP/1.0' server for HTTPS clients. If MODE is 0,
always conform to HTTPS/1.1. If it is 1, do not allow multiple
requests on SSL connections. If the value is 2 (default), disable
multiple requests on SSL connections only for MSIE clients.
9.11 Service
============
The 'Service' statements define backends to use and conditions a request
should satisfy in order to be routed to these backends. These
statements can appear both within 'ListenHTTP' ('ListenHTTPS') sections
and outside of them. When processing an incoming request, the listener
will first try to match it against services defined within it. If none
of these services matches the request, it will try to match it against
services defined in the top level. If a matching service is found, it
will be used to process the request. Otherwise a 503 ("Service
Unavailable") response will be returned.
A service is defined by a section statement that begins with the
'Section' keyword, followed by service definition statements and
terminated by 'End' on a line by itself:
Service "NAME"
...
End
Optional NAME argument assigns a symbolic name to the service. That
name is used to identify the service in diagnostic and access log
messages (*note '%{OBJ}N': log format.), metric output (*note
Metrics::), and in 'poundctl' requests (*note poundctl::). In the
absence of an assigned NAME, the ordinal number of the service in the
enclosing section is used as its identifier. Service numbers start at
0.
Following subsections discuss statements that can be used in
'Service' sections.
9.11.1 Service Selection Statements
-----------------------------------
Service selection statements define conditions an incoming request must
satisfy in order to be handled by this service.
-- Service Conditional: ACL "NAME"
Returns 'true' if the source IP of the request matches one of the
CIDRs from the named access control list NAME. The ACL itself must
have been defined earlier (*note ACL definition::).
*Note ACL::, for a detailed discussion.
-- Service Conditional: ACL
This statement defines an unnamed ACL to match the source IP
against. This line must be followed by one or more lines defining
CIDRs, as described in *note ACL definition::. The ACL definition
is finished with an 'End' keyword on a line by itself.
Semantically, this statement is equivalent to the named ACL
reference described above.
*Note ACL::, for a detailed discussion.
-- Service Conditional: BasicAuth "FILENAME"
Evaluates to 'true', if the incoming request passes basic
authorization as described in RFC 7617. FILENAME is the name of a
plain text file containing usernames and passwords, created with
'htpasswd' or similar utility. Unless the name starts with a
slash, it is taken relative to the 'IncludeDir' directory (*note
include directory::). The file is cached in the memory on the
first authorization attempt, so that further authorizations do not
result in disk operations. The file will be rescanned if 'pound'
notices that its modification time has changed.
*Note Authentication::.
-- Service Conditional: Header [OPTIONS] "PATTERN"
Yields 'true', if the request contains at least one header matching
the given PATTERN. By default, PATTERN is treated as
case-insensitive POSIX extended regular expression. This can be
changed by OPTIONS, described below.
-- Service Conditional: Host [OPTIONS] "HOSTNAME"
Evaluates to 'true', if the 'Host' header matches HOSTNAME. In the
absence of OPTIONS, case-insensitive exact match is assumed, i.e.
this construct is equivalent to
Header "Host:[[:space:]]*QHOST"
where QHOST is the HOSTNAME argument in quoted form, i.e. with all
characters that have special meaning in regular expressions
escaped.
*Note Table 9.2: conditional-option, for a detailed discussion of
OPTIONS and their effect on matching.
This statement is provided to facilitate handling of "virtual
hosts". *Note Service selection::, for details.
-- Service Conditional: Path [OPTIONS] "PATTERN"
Returns 'true', if the path part of the incoming request matches
PATTERN.
-- Service Conditional: Query [OPTIONS] "PATTERN"
Returns 'true', if the query part of the incoming request matches
PATTERN. The argument must be properly percent-encoded, if it
contains whitespace or other non-printable characters.
-- Service Conditional: QueryParam "NAME" [OPTIONS] "PATTERN"
Returns 'true', if the value of the query parameter NAME matches
PATTERN.
*Note Table 9.2: conditional-option, for a detailed discussion of
OPTIONS and their effect on matching.
-- Service Conditional: StringMatch "STRING" [OPTIONS] "PATTERN"
Expands STRING as described in *note String Expansions::, and
matches the resulting value against PATTERN.
-- Service Conditional: URL [OPTIONS] "PATTERN"
Matches URL of the request. PATTERN is treated as case-sensitive
extended regular expression, unless instructed otherwise by OPTIONS
(see below).
The OPTIONS argument in the directives discussed above defines the
comparison algorithm used. It consists of one or more flags described
in *note Table 9.2: conditional-option.
Placing the keyword 'Not' before a header matching directive reverts
its meaning. For example, the following will match any request whose
URL does not begin with '/static/':
Not URL -beg "/static/"
The 'Match' block statement can be used to join multiple header
matching directives. Its syntax is:
Match OP
...
End
where ... stands for any number of matching directives, and OP is a
boolean operation: 'AND' or 'OR' (case-insensitive). *Note Match in
service statement::, for a detailed discussion with examples.
9.11.2 Request and Response Modification
----------------------------------------
These statements modify incoming requests prior to passing them to the
backend. A similar set of statements can be used in listeners (*note
Request Modification::). In case both the listener and service contain
request modification statements, those from the listener are applied
first, followed by the ones from the service.
-- Service directive: SetURL "URL"
Set the URL of the incoming request to URL.
-- Service directive: SetPath "VALUE"
Set the path part of the URL to the given string.
-- Service directive: SetQuery "VALUE"
Set the query part of the URL to the given string. VALUE must be a
valid query with the special characters properly encoded using
percent encoding.
-- Service directive: SetQueryParam "NAME" "VALUE"
Set the query parameter NAME to the VALUE. The value must be
properly encoded if it contains reserved characters.
-- Service directive: SetHeader "NAME: VALUE"
-- Service directive: HeaderAdd "NAME: VALUE"
-- Service directive: AddHeader "NAME: VALUE"
Sets the HTTP header. If the header NAME already exists, it will
be overwritten. Otherwise, new header will be added to the end of
the header list.
The 'HeaderAdd' and 'AddHeader' forms are retained for backward
compatibility with earlier 'pound' versions. You are advised
against using them.
-- Service directive: DeleteHeader [OPTIONS] "PATTERN"
-- Service directive: HeaderRemove [OPTIONS] "PATTERN"
-- Service directive: HeadRemove [OPTIONS] "PATTERN"
Remove from the request all headers matching PATTERN. The
'HeaderRemove' and 'HeadRemove' forms are retained for backward
compatibility with earlier 'pound' versions. You are advised
against using them.
By default, PATTERN is treated as extended POSIX regular
expression. The OPTIONS argument can be used to alter this. It
consists of zero or more option flags, described in *note Table
9.1: deleteheader-option.
-- Service statement: Rewrite [ request | response ] ... End
This block statement associates one or more header modification
directives discussed above with "request matching directives", so
that request modification takes place only when the request matches
certain conditions.
By default 'Rewrite' statements apply to incoming requests. The
subject of rewriting can also be specified explicitly after the
'Rewrite' keyword.
*Note Rewrite::, for a detailed discussion of this statement.
*Note Conditional branches::, for an in-depth discussion with
examples.
*Note Modifying responses::, for a discussion of the use of this
statement to modify responses.
9.11.3 Service Logging
----------------------
-- Service directive: ForwardedHeader "NAME"
Defines the name of the HTTP header that carries the list of
proxies the request has passed through. Default value is
'X-Forwarded-For'. This header is used to determine the originator
IP address for logging. *Note %a::, for details.
-- Service directive: TrustedIP
Defines a list of "trusted proxy" IP addresses, which is used to
determine the originator IP.
*Note %a::, for a detailed discussion.
This statement is a special form of 'ACL' statement, described in
*note ACL::. It can appear in two forms: as a "section" or as a
"directive". When used as a section, it is followed by a list of
one or more CIDRs each appearing on a separate line. The 'End'
keyword terminates the statement, e.g.:
TrustedIP
"127.0.0.1/8"
"10.16.0.0/16"
End
In directive form, this statement takes a single argument, the name
of an access control list defined earlier using the 'ACL'
statement, e.g.
TrustedIP "proxy_addresses"
-- Service directive: LogSuppress CLASS [CLASS...]
Suppresses HTTP logging for requests that resulted in status codes
from the specified classes. Valid classes are:
info
1
'1xx' response codes.
success
2
'2xx' response codes.
redirect
3
'3xx' response codes.
clterr
4
'4xx' response codes.
srverr
5
'5xx' response codes.
all
All response codes.
This statement is designed for services that receive a constant
stream of similar HTTP requests from a controlled set of IP
addresses, such as e.g. Openmetric services. *Note Metrics::, for
an example.
9.11.4 Backends
---------------
9.11.4.1 Backend
................
The 'Backend' section defines a regular backend. The overall syntax, as
for any section statement, is:
Backend [ "NAME" ]
...
End
Optional NAME argument assigns a symbolic name to the service. That
name is used to identify the backend in diagnostic and access log
messages (*note '%{OBJ}N': log format.), metric output (*note
Metrics::), and in 'poundctl' requests (*note poundctl::). In the
absence of an assigned NAME, the ordinal (0-based) number of the backend
in the enclosing 'Service' is used as its identifier.
The following statements can be used in a 'Backend' section:
-- Backend directive: Address IP
IP address or host name of the backend server. If the name cannot
be resolved to a valid address, 'pound' will assume that it
represents a path to a Unix-domain socket.
This directive is mandatory.
-- Backend directive: Port N
Sets the port number to connect to. This directive must be present
if the 'Address' statement contains an IP address.
-- Backend directive: Disabled BOOL
Mark this backend as disabled.
Backends can be enabled or disabled at runtime using the 'poundctl'
utility (*note enable: poundctl commands.).
_Note:_ not to be confused with the 'Disable' statement, described
below.
-- Backend directive: Priority N
Sets numeric priority for this backend. Priorities are used to
control probability of receiving a request for handling in case of
multiple backends. *Note Balancer::, for a detailed discussion.
Allowed values for N depend on the balancing algorithm in use. For
random balancing, allowed values are 0 to 9. For IWRR, allowed
values are between 0 and 100.
The following three directives set various timeout parameters for
backend operations:
-- Backend directive: TimeOut N
Sets the "response timeout", i.e. time to wait for a response from
the backend (in seconds). Default is 15.
-- Backend directive: ConnTO N
Sets "connection timeout", i.e. time to wait for establishing
connection with the backend (in seconds).
-- Backend directive: WSTimeOut N
Idle timeout for WebSocket operations, in seconds. Default value:
600 (10 minutes).
Backend servers can use HTTPS as well as plaintext HTTP. The
following directives configure HTTPS backends:
-- Backend directive: HTTPS
This directive indicates that the remote server speaks HTTPS.
-- Backend directive: ServerName "NAME"
This directive specifies the name to use for server name
identification ("SNI"). It also rewrites the 'Host:' header for
this particular backend. This means you don't have to use
'SetHeader' in addition to it.
-- Backend directive: Cert "FILENAME"
This specifies the certificate that 'pound' will use as a client.
The FILENAME is the name of a file containing the certificate,
possibly a certificate chain and the signature.
-- Backend directive: Ciphers "CIPHERLIST"
This is the list of ciphers that will be accepted by the SSL
connection with the backend (for HTTPS backends); it is a string in
the same format as used by the OpenSSL functions 'ciphers' and
'SSL_CTX_set_cipher_list'.
-- Backend directive: Disable PROTO
Disable the SSL protocol PROTO and all earlier protocols. Allowed
values for PROTO are: 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1',
'TLSv1_2'.
_Note:_ not to be confused with the 'Disabled' statement, described
above.
9.11.4.2 Globally Defined Backends
..................................
The 'Backend' section described above can also be used at the topmost
level of the configuration file. Use this if you plan to use same
backend in several different services.
When used globally the 'Backend' keyword must always be followed by
the backend name in double-quotes. The assigned name must be unique
among all global backends.
To include a globally defined backend in a service, use 'UseBackend'
or 'Backend' keywords.
-- Service directive: UseBackend "NAME"
Use globally-defined backend NAME in this service. The backend
itself may be defined in global scope before or after the 'Service'
section that uses it.
The 'UseBackend' keyword adds the backend to the service exactly as
it was defined. However, it may sometimes be necessary to alter its
priority and state. To do so, use the 'Backend' section. If the name
argument specifies a globally-defined backend, the 'Backend' section can
contain only the 'Priority' and 'Disable' statements.
9.11.4.3 Special Backends
.........................
Special backends are backends that don't rely on an external server to
handle the response, but instead are served by 'pound' itself.
-- Service directive: Error STATUS [FILE]
Return a particular HTTP status.
The STATUS argument supplies the HTTP status code to return.
Optional FILE argument is the name of a disk file with the error
page content. If not supplied, the text is determined as usual:
first the 'ErrorFile STATUS' statement from the enclosing listener
is consulted. If it is not present, the default error page is
used.
This directive is useful in a catch-all service, which outputs an
error page if no service matching the incoming request was found.
*Note Error responses::, for a discussion.
-- Service directive: Redirect [CODE] "URL"
Declares a special backend that responds to each request with a
redirect response.
Optional CODE can be one of: 301, 302 (the default), 303, 307, or
308.
The URL argument specifies the URL to redirect the request to.
Before use it is expanded as described in *note String
Expansions::.
For compatibility with previous 'pound' versions, if no '$N'
references are found in URL, the following logic is used: if it is
a "pure" host (i.e. with no path) then the client will be
redirected to that host, with the original request path appended.
If the URL does contain a path (even if it is just a '/'), then the
request path is ignored.
*Note Redirects::, for a detailed discussion of this backend and
its use.
-- Service directive: Metrics
This directive defines a special backend that generates Openmetric
telemetry output on the given URL. Example usage:
Service
URL "/metrics"
Metrics
End
To control access to the telemetry endpoint, use the 'ACL'
statement (*note ACL::).
The 'LogSuppress' directive (*note LogSuppress::) is often used in
openmetric services to suppress logging of served HTTP requests:
Service
URL "/metrics"
Metrics
ACL "secure"
LogSuppress success
End
The metrics output is discussed in *note Metric Families::.
-- Service directive: Emergency ... End
Defines an "emergency backend", which will be used only if all
other backends become unavailable. The following directives are
available for use within the 'Emergency' section: 'Address',
'Port', 'TimeOut', 'WSTimeOut', 'ConnTO', 'HTTPS', 'Cert',
'Ciphers', 'Disable', 'ServerName', These are discussed in *note
Backend::.
9.11.5 Session
--------------
-- Service directive: Session ... End
Defines how a service deals with possible HTTP sessions. Once a
session is identified, 'pound' will attempt to send all requests
within that session to the same backend server.
*Note Sessions::, for a detailed discussion of HTTP sessions and
their handling.
The following directives are available for use in 'Session' section.
-- Session directive: Type TYPE
Defines the expected type of sessions to handle. Allowed values
for TYPE are:
'IP'
A session is defined by the source IP. All requests coming
from the same IP are considered to be in the same session.
The IP address is defined by the 'ID' statement (see below).
'BASIC'
A session is defined by the 'Authentication' HTTP header. If
the header is present, and specifies the 'Basic'
authentication type, user ID is extracted from it.
'URL'
A session is identified by the value of a particular query
parameter. The name of the parameter is given by the 'ID'
statement.
'PARM'
Sessions are identified by HTTP parameter - a string that
appears after a semicolon in the URL, such as 'bar' in
'http://foo.com;bar'.
'COOKIE'
Sessions are identified by the value of an HTTP cookie, whose
name is given by the 'ID' directive.
'HEADER'
Sessions are identified by the value of HTTP header whose name
is given by the 'ID' directive.
-- Session directive: ID "NAME"
Specifies the "session identifier": IP address (for 'Type IP'),
query parameter name (for 'Type URL'), cookie name (for 'Type
COOKIE'), or header name (for 'Type HEADER').
-- Session directive: TTL N
How long can a session be idle (in seconds). A session that has
been idle for longer than the specified number of seconds will be
discarded. This directive is mandatory.
9.11.6 Other Statements
-----------------------
-- Service directive: Disabled BOOL
If 'true', mark this service as disabled. Disabled services are
not used for request processing. A service can be enabled or
disabled at runtime using the 'poundctl' utility (*note enable:
poundctl commands.).
-- Service directive: Balancer ALGO
Sets the request balancing algorithm to use. Allowed values for
ALGO are:
random
Use weighted random balancing algorithm.
iwrr
Use interleaved weighted round robin balancing.
*Note Balancer::, for a detailed discussion of these algorithms.
This statement overrides the global 'Balancer' statement (*note
Balancer: Global directives.).
-- Service directive: IgnoreCase BOOL
Ignore case when doing regex matching (default: 'false'). This
directive sets the default for the following service matching
directives: 'URL', 'Path', 'QueryParam', 'Query', 'StringMatch', as
well as for the 'DeleteHeader' modification directive.
This statement is deprecated and will be removed in future
versions. Please, use the '-icase' option to the matching
directive instead (*note Table 9.2: conditional-option.).
10 poundctl
***********
The 'poundctl' command displays status of various objects of the running
instance and allows you to change some of them.
The program communicates with the running 'pound' daemon via a UNIX
socket. For this to work, 'pound' configuration file must contain a
'Control' statement (*note Control statement::). When started,
'poundctl' opens the default 'pound.cfg' file, looks up for this
statement and then uses the pathname defined in it as the control socket
file.
This behavior can be altered in two ways. First, if the
configuration file is in a non-standard location, the pathname of this
file can be given to the program using the '-f' command line option.
Secondly, the socket name can be supplied in the command line
explicitly, using the '-s' option.
The program invocation syntax is:
poundctl [OPTIONS] COMMAND OBJECT [ARG]
Here, OPTIONS are command line options, COMMAND is a command verb that
instructs 'poundctl' what to do, OBJECT identifies the 'pound' object to
operate upon (*note objects::), and optional ARG supplies argument to
the command verb.
Pound objects identifiers are formed in a path-like fashion:
/LISTENER/SERVICE/BACKEND
where:
LISTENER
Symbolic name of the listener or its ordinal number in the
configuration. If referring to a globally-defined service, or to a
backend in such a service, a dash is used.
SERVICE
Symbolic name or ordinal number of the service located in that
listener.
BACKEND
Ordinal number of backend in the service.
Depending on the command, either '/BACKEND' or both
'/SERVICE/BACKEND' may be omitted.
For example, the following command will disable backend 2 in service
1 of listener 0:
poundctl disable /0/1/2
Assuming listener 0 is named 'web', this example can also be written
as:
poundctl disable /web/1/2
The following command disables the listener 0 itself:
poundctl disable /0
A dash in place of LISTENER refers to the global scope. Thus, the
following disables service 1 defined in the global scope of 'pound.cfg':
poundctl disable /-/1
10.1 'poundctl' commands
========================
-- poundctl: list /L/S/B
-- poundctl: list /L/S
-- poundctl: list /L
-- poundctl: list
Lists status of the given object and its subordinates. Without
argument, shows all listeners and underlying objects.
-- poundctl: enable /L/S/B
-- poundctl: enable /L/S
-- poundctl: enable /L
-- poundctl: on /L/S/B
-- poundctl: on /L/S
-- poundctl: on /L
Enables listener, service, or backend.
-- poundctl: disable /L/S/B
-- poundctl: disable /L/S
-- poundctl: disable /L
-- poundctl: off /L/S/B
-- poundctl: off /L/S
-- poundctl: off /L
Disables listener, service, or backend.
-- poundctl: delete /L/S KEY
Delete the session with the given key. Notice that backend may not
be specified.
-- poundctl: add /L/S/B KEY
Add a session with the given KEY.
10.2 'poundctl' options
=======================
The following options are understood by 'poundctl':
'-f FILE'
Read 'pound' configuration from FILE, instead of the default
configuration file.
'-i N'
Sets indentation level for JSON output to N columns.
'-j'
Use JSON output format.
'-h'
Shows a short help output and exits.
'-s SOCKET'
Sets pathname of the control socket.
'-T FILE'
Sets the name of the template file to use.
'-t NAME'
Defines the name of the template to use, instead of the 'default'.
'-V'
Prints program version, compilation settings, and exits.
'-v'
Increases output verbosity level.
10.3 'poundctl' template
========================
Information received from the 'pound' daemon is formatted as a JSON
object. To produce human-readable output, 'poundctl' uses a "template",
i.e. a text written in a domain-specific language expressly designed
for that purpose. The template language complies, in general, with the
specification in . *Note Template
syntax::, for a detailed description.
Templates are stored in template files, which are looked up in the
template search path. The path is a column-delimited list of
directories or file names. To locate the template file, the path is
scanned left-to right. If an element is a regular file name (or a hard
or symbolic link to a regular file), 'poundctl' tries to open that file.
If an element is a directory name, the program tries to open the file
'poundctl.tmpl' in that directory. If opening succeeds, further
scanning stops and templates are read from that file.
The default template path is
~/.poundctl.tmpl:DATADIR/pound
where DATADIR stands for the program data directory(1). That is, the
file '.poundctl.tmpl' in the user home directory is searched first, then
the file 'poundctl.tmpl' (without the leading dot) is looked up in the
program data directory.
The default search path can be changed by setting the environment
variable 'POUND_TMPL_PATH'.
To examine the default value of the search path, use the '-V' command
line option.
The template file to use can be requested from the command line using
the '-t' option. In this case, template search path in not searched and
the supplied file is used verbatim.
Unless instructed otherwise, 'poundctl' uses the template 'default'.
You can request another template name using the '-T' command line
option.
The default 'poundctl.tmpl' file defines two templates: 'default' and
'xml'.
---------- Footnotes ----------
(1) It is determined at compile time. Normally it is
'/usr/share/pound' or '/usr/local/share/pound'.
10.3.1 Template syntax
----------------------
The syntax of 'poundctl' templates is modelled after and mostly
conforming to the specifications of the 'golang' template module(1).
Templates are executed by applying them to a JSON object.
Annotations in a template refer to attributes of the object to control
execution and derive values to be displayed. Execution of the template
walks the structure and sets the cursor, represented by a period (called
"dot"), to the value at the current location in the object as execution
proceeds.
The input text for a template is as ASCII text is arbitrary format.
Actions (data evaluations or control structures) are delimited by
'{{' and '}}'; all text outside actions is copied to the output
verbatim.
To aid in formatting template source code, if '{{' is followed
immediately by a minus sign and white space, all trailing white space is
trimmed from the immediately preceding text. Similarly, if '}}' is
preceded by white space and a minus sign, all leading white space is
trimmed from the immediately following text. Notice that the presence
of the whitespace in these trim markers is mandatory: '{{- 3}}' trims
the immediately preceding text and outputs '3', while "'{{-3}}' parses
as an action containing the number '-3'.
---------- Footnotes ----------
(1)
10.3.1.1 Actions
................
Here is the list of actions. "Arguments" and "pipelines" are
evaluations of data, defined in detail in the sections that follow.
'{{ }}'
Empty action is discarded. It may be useful to trim the preceding
or following whitespace, as in
{{- -}}
'{{/* a comment */}}'
Comments are discarded. They may span multiple lines of text.
Comments do not nest and must start immediately after the opening
delimiter (with optional dash and whitespace in between). A
comment may be followed by any action described below.
Comments may be used to control trailing and leading whitespace as
well:
{{- a comment trimming the surrounding whitespace -}}
'{{ PIPELINE }}'
The PIPELINE is evaluated, and the default textual representation
of its value is copied to the output.
'{{if PIPELINE }} T1 {{end}}'
If the value of the PIPELINE is empty, no output is generated;
otherwise, T1 is executed. The empty values are 'null', 'false',
numeric 0, empty string ('""'), array ('[]'), or object ('{}').
Dot is unaffected.
'{{if PIPELINE }} T1 {{else}} T0 {{end}}'
If the value of the pipeline is empty, T0 is executed; otherwise,
T1 is executed. Dot is unaffected.
'{{if PIPELINE }} T1 {{else if PIPELINE }} T2 {{else}} T0 {{end}}'
A shortcut to simplify writing the if-else chains. Equivalent to
(newlines added for readability):
{{if PIPELINE }}
T1
{{else -}}
{{if PIPELINE }}
T2
{{else}}
T0
{{end}}
{{end}}
'{{range PIPELINE }} T1 {{end}}'
The value of PIPELINE must be an object or array. If it is of
length zero, nothing is output. Otherwise, dot is set to the
successive elements of the array or object and T1 is executed. For
objects, the elements will be visited in sorted key order.
'{{range PIPELINE }} T1 {{else}} T0 {{end}}'
Same as above, except that if the value of the PIPELINE is of
length zero, T0 is executed with dot unaffected.
Within the '{{range}}' action, the following two keywords may
appear:
'{{break}}'
The innermost '{{range PIPELINE}}' loop is ended early,
stopping the current iteration and bypassing all remaining
iterations.
'{{continue}}'
The current iteration of the innermost '{{range PIPELINE}}'
loop is stopped, and the loop starts the next iteration.
'{{define "NAME"}} TEXT {{end}}'
The TEXT is collected and stored for the further use as template
with the given NAME. It can be invoked using the '{{template}}'
action (see below).
'{{template "NAME"}}'
The template with the specified NAME (see the '{{define}}' above)
is executed with dot set to 'null'.
'{{template "NAME" VALUE }}'
The template with the specified NAME (see the '{{define}}' above)
is executed with dot set to VALUE.
'{{block "NAME" PIPELINE }} T1 {{end}}'
A block is shorthand for defining a template and then executing it
in place:
{{define "NAME"}} T1 {{end}}
{{template "NAME" PIPELINE}}
'{{with PIPELINE }} T1 {{end}}'
If the value of the PIPELINE is empty, no output is generated;
otherwise, dot is set to the value of the PIPELINE and T1 is
executed.
'{{with PIPELINE }} T1 {{else}} T0 {{end}}'
Same as above, but if the value of the PIPELINE is empty, T0 is
executed with dot unchanged.
10.3.1.2 Arguments
..................
An "argument" is a simple value, i.e. any of the following:
* Numeric value (integer or floating point)
* Boolean value: 'true' or 'false'.
* Quoted string.
* A dot ('.') This represents the cursor value.
* Attribute: '.ATTR' This is the value of the attribute ATTR in the
current value (dot). Attribute references can be nested, as in
'.Attr.Xattr.Yattr'.
* A variable reference: '$VAR'. Here, VAR is the name of the
variable defined in the 'range' action. *Note Variables::, below.
* Function call in parentheses, for grouping.
10.3.2 Pipelines
----------------
A "pipeline" is a series of one or more "commands" delimited by pipe
sign ('|'). Each "command" is either an argument or a "function call",
in form:
FUNC ARG1 ARG2...
where FUNC is the name of one of the built-in functions discussed below.
Pipelines are executed from left to right, with the result of the
previous command implicitly added to the list of arguments of each
subsequent command. For example, the pipeline
.attr | eq $x
is equivalent to
eq $x .attr
i.e. it calls the built-in function 'eq' with two arguments: the value
of the variable 'x' and attribute 'attr' of the cursor value.
The following built-in functions are defined:
-- Template built-in: and A1 A2
Evaluates to 'true' if pipelines A1 and A2 both evaluate to 'true'.
Notice, that there is no boolean shortcut evaluation: both
pipelines are evaluated prior to calling 'and'.
-- Template built-in: or A1 A2
Evaluates to 'true' if at least one of the pipelines A1 and A2
evaluates to 'true'. Notice, that there is no boolean shortcut
evaluation: both pipelines are evaluated prior to calling 'or'.
-- Template built-in: index A1 A2...
Returns the result of indexing its first argument by the following
arguments. Thus, if '.' is an array, then:
index . 5
evaluates to its fifth element ('.[5]').
-- Template built-in: len A1
Returns the integer length of its argument.
-- Template built-in: not A1
Returns 'true' if its argument evaluates to 'false'.
-- Template built-in: eq A1 A2
Returns 'true' if both its arguments are equal. This applies only
if both A1 and A2 are numeric or if they both are strings.
-- Template built-in: ne A1 A2
Returns 'true' if its arguments (both must be numeric or strings)
are not equal.
-- Template built-in: lt A1 A2
Returns 'true' if A1 is numerically less than A2.
-- Template built-in: le A1 A2
Returns 'true' if A1 is numerically less than or equal to A2.
-- Template built-in: gt A1 A2
Returns 'true' if A1 is numerically greater than A2.
-- Template built-in: ge A1 A2
Returns 'true' if A1 is numerically greater than or equal to A2.
-- Template built-in: even A1
Returns 'true' if A1, which must evaluate to an integer value, is
divisible by 2.
-- Template built-in: printf FMT A1...
Implements the 'printf' function. FMT must evaluate to string.
Rest of arguments is interpreted according to the conversion
specifications in FMT. The result is a formatted string.
In addition to the standard conversion specifications, the '%v'
specifier is implemented: it formats its argument in the best way,
depending on its actual type.
-- Template built-in: typeof A1
Evaluates to the type of its argument, one of: 'null', 'bool',
'number', 'integer', 'string', 'array', and 'object'.
-- Template built-in: exists A1 A2
A1 must evaluate to an object and A2 to string. The function
evaluates to 'true' if the attribute A2 is present in A1.
-- Template built-in: add A1 A2...
Returns the sum of its arguments.
-- Template built-in: sub A1 A2
Returns the difference 'A1 - A2'.
-- Template built-in: mul A1 A2
Multiplies A1 by A2.
-- Template built-in: div A1 A2
Divides A1 by A2.
10.3.3 Variables
----------------
Variables (referred to as '$NAME') can be defined in 'range' and 'with'
actions. For 'range', the syntax is:
{{range $INDEX, $ELEMENT = PIPELINE }} T1 {{end}}
where INDEX and ELEMENT are arbitrary variable names. When executing
this action, during each iteration $INDEX and $ELEMENT are set to the
index (attribute name) and value of each successive element. Dot
remains unaffected.
For 'with', the syntax is:
{{with $VAR = PIPELINE }} T1 {{end}}
PIPELINE is evaluated, its result is assigned to $VAR and the T1
block is executed with dot unchanged.
A variable's scope extends to the 'end' action of the control
structure ('with' or 'range') in which it is declared. This includes
any nested statements that may appear in between.
10.3.4 Input object
-------------------
Depending on the request issued by 'poundctl', the invoked template can
receive as its argument ("dot") an object of the following types: "full
listing", "listener", "service", or "backend".
Since there is no explicit indication of the object type being
passed, templates normally use heuristics based on the presence or
absence of certain attribute to deduce the object type in question. The
recommended approach is described in the following pseudo-code fragment:
{{if exists . "listeners" }}
{{/* This is a full listing, as requested by poundctl list. */}}
...
{{else if exists . "services"}}
{{/* Single listener, as requested by poundctl list /L.
Notice that this attribute is present in the full listing as
well, so presence of "listeners" should be checked first. */}}
...
{{else if exists . "backends"}}
{{/* Single service, as requested by poundctl list /L/S. */}}
...
{{else}}
{{/* Backend listing (poundctl list /L/I/B) */}}
...
{{end}}
Structures of each object are discussed in subsections that follow.
10.3.4.1 Full listing
.....................
A full listing contains the following attributes:
'listeners'
An array of "listener" objects. See below for a description.
'services'
An array of "service" objects, representing services defined in the
global scope of the 'pound' configuration file.
'pid'
PID of the running 'pound' daemon.
'version'
'Pound' version number (string).
'workers'
Workers statistics. This is a JSON object with the following
attributes:
'active'
Number of active threads.
'count'
Number of threads currently running.
'max'
Maximum number of threads.
'min'
Minimum number of threads.
'timeout'
Thread idle timeout.
'queue_len'
Number of incoming HTTP requests in the queue (integer).
'timestamp'
Current time on the server, formatted as ISO 8601 date-time with
microsecond precision, e.g.: '2023-01-05T22:43:18.071559'.
10.3.4.2 Listener
.................
A "listener" object represents a single HTTP or HTTPS listener in
'pound' configuration. It has the following attributes:
'address'
Address of this listener. A string formatted as 'IP:PORT'. for
IPv4 and IPv6 addresses or containing a socket file name, for UNIX
sockets.
'protocol'
Protocol used: either 'http' or 'https'.
'services'
Array of "service" objects representing services defined in this
listener. See below for the definition of a "service" object.
'enabled'
Boolean. Whether this listener is enabled or not.
'nohttps11'
Value of the 'NoHTTPS11' configuration statement for this listener
(*note NoHTTPS11: ListenHTTPS.). One of: 0, 1, 2.
10.3.4.3 Service
................
A "service" object describes a single service.
'name'
Symbolic name of this service.
'enabled'
Boolean. Whether this service is enabled or not.
'tot_pri'
Sum of priority values of active backends in this service.
'abs_pri'
Sum of priority values of all defined backends in this service.
'session_type'
Name of the session handling algorithm for this service. One of:
'IP', 'BASIC', 'URL', 'PARM', 'COOKIE', 'HEADER'.
'sessions'
List of active sessions in this service. Each session is
represented as object with the following attributes:
'key'
Session key (string).
'backend'
Ordinal number of the backend assigned to handle requests with
this session.
'expire'
Expiration time of this session, formatted as
'1970-01-01T00:00:00.000000' (with microsecond precision).
'backends'
List of "backends" defined for this service.
'emergency'
Emergency "backend" object, or 'null' if no such backend is
defined.
10.3.4.4 Backend
................
The following attributes are always present in each "backend" object:
'alive'
Whether or not this backend is alive.
'conn_to'
Connection timeout for this backend (seconds).
'enabled'
Whether or not this backend is enabled.
'io_to'
I/O timeout for this backend (seconds).
'priority'
Priority value assigned to this backend.
'protocol'
Protocol used by this backend: either 'http' or 'https'.
'type'
Backend type. One of: 'acme', 'backend', 'control', 'redirect'.
'ws_to'
Websocket timeout (seconds).
Depending on the backend type, the following attributes may be
present:
'acme'
An object of the following structure:
'path'
Directory where ACME challenges are stored.
'backend'
Object:
'address'
Backend address.
'redirect'
Object:
'url'
URL to redirect to.
'code'
HTTP code for redirection responses. One of: 301, 302, 307.
'redir_req'
Boolean: whether to append the original request path to the
resulting location.
If backend statistics is enabled (*note BackendStats::), the 'stats'
object will be present, with the following attributes:
'request_count'
Total number of requests processed by this backend.
'request_time_avg'
Average time per request, in nanoseconds.
'request_time_stddev'
Standard deviation of the above.
Appendix A Metric Families
**************************
This appendix describes metric families returned in the output of
"openmetrics" 'pound' backends (*note Metrics::).
-- Metric family: gauge pound_workers
Number of pound workers (*note Worker model::). Indexed by types:
'active'
Number of workers currently active.
'count'
Number of workers running (both idle and active).
'min'
Minimum number of workers as set by the 'WorkerMinCount'
configuration directive (*note WorkerMinCount: Global
directives.).
'max'
Maximum number of workers as set by the 'WorkerMaxCount'
configuration directive (*note WorkerMaxCount: Global
directives.).
Example:
pound_workers{type="active"} 2
pound_workers{type="count"} 5
pound_workers{type="max"} 128
pound_workers{type="min"} 5
-- Metric family: stateset pound_listener_enabled
State of a listener: enabled/disabled. Indexed by the listener
ordinal number.
pound_listener_enabled{listener="0"} 1
pound_listener_enabled{listener="1"} 0
pound_listener_enabled{listener="2"} 1
-- Metric family: info pound_listener_info
Description of a listener. Each instance contains the following
indices:
'listener'
Listener ordinal number.
'name'
Listener name, as set in the 'ListenHTTP' or 'ListenHTTPS'
statement (*note ListenHTTP::).
'address'
Listener address. For INET family, it is formatted as
'IP:PORT', for UNIX sockets, it is the pathname of the socket.
'protocol'
Either 'http' or 'https'.
The value of this metrics is always '1'.
pound_listener_info{listener="0",name="",address="/run/pound.sock",protocol="http"} 1
pound_listener_info{listener="1",name="plain",address="0.0.0.0:80",protocol="http"} 1
pound_listener_info{listener="2",name="tls",address="0.0.0.0:443",protocol="https"} 1
-- Metric family: info pound_service_info
Description of a service. Indices:
'listener'
Listener ordinal number. This index is absent for globally
defined services.
'service'
Index of the service in listener (or in global configuration,
for globally defined services).
'name'
Service name as set in the 'Service' definition (*note
Service::).
pound_service_info{listener="0",service="0",name=""} 1
pound_service_info{listener="1",service="0",name=""} 1
pound_service_info{listener="1",service="1",name="redirect"} 1
pound_service_info{listener="2",service="0",name="metrics"} 1
pound_service_info{listener="2",service="1",name="web"} 1
pound_service_info{service="0",name="fallback"} 1
-- Metric family: stateset pound_service_enabled
State of a particular service.
pound_service_enabled{listener="0",service="0"} 1
pound_service_enabled{listener="1",service="0"} 1
pound_service_enabled{listener="2",service="0"} 1
pound_service_enabled{service="0"} 1
-- Metric family: gauge pound_service_pri
Service priority value. This is the sum of priorities of all
backends defined in the service (*note Balancer::). Indexes:
'listener'
Listener ordinal number. This index is absent for globally
defined services.
'service'
Index of the service in listener (or in global configuration,
for globally defined services).
'entity'
If 'total', the metrics contains the sum of priorities of all
currently active backends, if 'absolute', the sum of
priorities of all backends, both active and inactive.
pound_service_pri{listener="0",service="0",entity="total"} 10
pound_service_pri{listener="0",service="0",entity="absolute"} 15
pound_service_pri{service="0",entity="total"} 1
pound_service_pri{service="0",entity="absolute"} 1
-- Metric family: gauge pound_backends
Number of backends per service: total, alive, enabled, and active
(both alive and enabled). Indices:
'listener'
Listener ordinal number. This index is absent for globally
defined services.
'service'
Index of the service in listener (or in global configuration,
for globally defined services).
'state'
Backend state: 'total', 'alive', 'enabled', or 'active'.
Example:
pound_backends{listener="0",service="0",state="total"} 5
pound_backends{listener="0",service="0",state="enabled"} 3
pound_backends{listener="0",service="0",state="alive"} 3
pound_backends{service="0",state="total"} 1
pound_backends{service="0",state="enabled"} 1
pound_backends{service="0",state="alive"} 1
-- Metric family: stateset pound_backend_state
State of each backend. Indices:
'listener'
Listener ordinal number. This index is absent for globally
defined services.
'service'
Index of the service in listener (or in global configuration,
for globally defined services).
'backend'
Index of the backend in service.
'state'
'enabled': whether the backend is enabled or not.
'alive': whether the backend is alive or not.
Example:
pound_backend_state{listener="0",service="0",backend="0",state="alive"} 1
pound_backend_state{listener="0",service="0",backend="0",state="enabled"} 1
pound_backend_state{listener="0",service="0",backend="1",state="alive"} 1
pound_backend_state{listener="0",service="0",backend="1",state="enabled"} 0
-- Metric family: gauge pound_backend_requests
Number of requests processed by backend. This metrics is available
only if backend statistics is enabled (*note BackendStats::).
Example:
pound_backend_requests{listener="0",service="0",backend="0"} 40587
pound_backend_requests{listener="1",service="0",backend="0"} 13858
-- Metric family: gauge pound_backend_request_time_avg_nanoseconds
Average time per request spent in backend (nanoseconds). This
metrics is available only if backend statistics is enabled (*note
BackendStats::).
pound_backend_request_time_avg_nanoseconds{listener="0",service="0",backend="0"} 156254
pound_backend_request_time_avg_nanoseconds{listener="1",service="2",backend="0"} 26147
-- Metric family: gauge pound_backend_request_stddev_nanoseconds
Standard deviation of the average time per request. This metrics
is available only if backend statistics is enabled (*note
BackendStats::).
pound_backend_request_stddev_nanoseconds{listener="0",service="0",backend="0"} 0
pound_backend_request_stddev_nanoseconds{listener="1",service="2",backend="0"} 59
Appendix B Time and Date Formats
********************************
This appendix documents the time format specifications understood by the
'%{FORMAT}t' log format conversion. Essentially, it is a reproduction
of the man page for GNU 'strftime' function.
Ordinary characters placed in the format string are reproduced
without conversion. Conversion specifiers are introduced by a '%'
character, and are replaced as follows:
%a The abbreviated weekday name according to the
current locale.
%A The full weekday name according to the current
locale.
%b The abbreviated month name according to the
current locale.
%B The full month name according to the current
locale.
%c The preferred date and time representation for
the current locale.
%C The century number (year/100) as a 2-digit
integer.
%d The day of the month as a decimal number (range
01 to 31).
%D Equivalent to '%m/%d/%y'.
%e Like '%d', the day of the month as a decimal
number, but a leading zero is replaced by a
space.
%E Modifier: use alternative format, see below
(*note conversion specs::).
%F Equivalent to '%Y-%m-%d' (the ISO 8601 date
format).
%G The ISO 8601 year with century as a decimal
number. The 4-digit year corresponding to the
ISO week number (see '%V'). This has the same
format and value as '%y', except that if the ISO
week number belongs to the previous or next
year, that year is used instead.
%g Like '%G', but without century, i.e., with a
2-digit year (00-99).
%h Equivalent to '%b'.
%H The hour as a decimal number using a 24-hour
clock (range 00 to 23).
%I The hour as a decimal number using a 12-hour
clock (range 01 to 12).
%j The day of the year as a decimal number (range
001 to 366).
%k The hour (24-hour clock) as a decimal number
(range 0 to 23); single digits are preceded by a
blank. (See also '%H'.)
%l The hour (12-hour clock) as a decimal number
(range 1 to 12); single digits are preceded by a
blank. (See also '%I'.)
%m The month as a decimal number (range 01 to 12).
%M The minute as a decimal number (range 00 to 59).
%n A newline character.
%O Modifier: use alternative format, see below
(*note conversion specs::).
%p Either 'AM' or 'PM' according to the given time
value, or the corresponding strings for the
current locale. Noon is treated as 'pm' and
midnight as 'am'.
%P Like '%p' but in lowercase: 'am' or 'pm' or a
corresponding string for the current locale.
%r The time in 'a.m.' or 'p.m.' notation. In the
POSIX locale this is equivalent to '%I:%M:%S
%p'.
%R The time in 24-hour notation ('%H:%M'). For a
version including the seconds, see '%T' below.
%s The number of seconds since the Epoch, i.e.,
since 1970-01-01 00:00:00 UTC.
%S The second as a decimal number (range 00 to 61).
%t A tab character.
%T The time in 24-hour notation ('%H:%M:%S').
%u The day of the week as a decimal, range 1 to 7,
Monday being 1. See also '%w'.
%U The week number of the current year as a decimal
number, range 00 to 53, starting with the first
Sunday as the first day of week 01. See also
'%V' and '%W'.
%V The ISO 8601:1988 week number of the current
year as a decimal number, range 01 to 53, where
week 1 is the first week that has at least 4
days in the current year, and with Monday as the
first day of the week. See also '%U' and '%W'.
%w The day of the week as a decimal, range 0 to 6,
Sunday being 0. See also '%u'.
%W The week number of the current year as a decimal
number, range 00 to 53, starting with the first
Monday as the first day of week 01.
%x The preferred date representation for the
current locale without the time.
%X The preferred time representation for the
current locale without the date.
%y The year as a decimal number without a century
(range 00 to 99).
%Y The year as a decimal number including the
century.
%z The time-zone as hour offset from GMT. Required
to emit RFC822-conformant dates (using '%a, %d
%b %Y %H:%M:%S %z')
%Z The time zone or name or abbreviation.
%+ The date and time in 'date(1)' format.
%% A literal '%' character.
Some conversion specifiers can be modified by preceding them by the
'E' or 'O' modifier to indicate that an alternative format should be
used. If the alternative format or specification does not exist for the
current locale, the behaviour will be as if the unmodified conversion
specification were used. The Single Unix Specification mentions '%Ec',
'%EC', '%Ex', '%EX', '%Ry', '%EY', '%Od', '%Oe', '%OH', '%OI', '%Om',
'%OM', '%OS', '%Ou', '%OU', '%OV', '%Ow', '%OW', '%Oy', where the effect
of the 'O' modifier is to use alternative numeric symbols (say, roman
numerals), and that of the 'E' modifier is to use a locale-dependent
alternative representation.
Appendix C GNU Free Documentation License
*****************************************
Version 1.3, 3 November 2008
Copyright (C) 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
0. PREAMBLE
The purpose of this License is to make a manual, textbook, or other
functional and useful document "free" in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it,
with or without modifying it, either commercially or
noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not
being considered responsible for modifications made by others.
This License is a kind of "copyleft", which means that derivative
works of the document must themselves be free in the same sense.
It complements the GNU General Public License, which is a copyleft
license designed for free software.
We have designed this License in order to use it for manuals for
free software, because free software needs free documentation: a
free program should come with manuals providing the same freedoms
that the software does. But this License is not limited to
software manuals; it can be used for any textual work, regardless
of subject matter or whether it is published as a printed book. We
recommend this License principally for works whose purpose is
instruction or reference.
1. APPLICABILITY AND DEFINITIONS
This License applies to any manual or other work, in any medium,
that contains a notice placed by the copyright holder saying it can
be distributed under the terms of this License. Such a notice
grants a world-wide, royalty-free license, unlimited in duration,
to use that work under the conditions stated herein. The
"Document", below, refers to any such manual or work. Any member
of the public is a licensee, and is addressed as "you". You accept
the license if you copy, modify or distribute the work in a way
requiring permission under copyright law.
A "Modified Version" of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated into another language.
A "Secondary Section" is a named appendix or a front-matter section
of the Document that deals exclusively with the relationship of the
publishers or authors of the Document to the Document's overall
subject (or to related matters) and contains nothing that could
fall directly within that overall subject. (Thus, if the Document
is in part a textbook of mathematics, a Secondary Section may not
explain any mathematics.) The relationship could be a matter of
historical connection with the subject or with related matters, or
of legal, commercial, philosophical, ethical or political position
regarding them.
The "Invariant Sections" are certain Secondary Sections whose
titles are designated, as being those of Invariant Sections, in the
notice that says that the Document is released under this License.
If a section does not fit the above definition of Secondary then it
is not allowed to be designated as Invariant. The Document may
contain zero Invariant Sections. If the Document does not identify
any Invariant Sections then there are none.
The "Cover Texts" are certain short passages of text that are
listed, as Front-Cover Texts or Back-Cover Texts, in the notice
that says that the Document is released under this License. A
Front-Cover Text may be at most 5 words, and a Back-Cover Text may
be at most 25 words.
A "Transparent" copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the
general public, that is suitable for revising the document
straightforwardly with generic text editors or (for images composed
of pixels) generic paint programs or (for drawings) some widely
available drawing editor, and that is suitable for input to text
formatters or for automatic translation to a variety of formats
suitable for input to text formatters. A copy made in an otherwise
Transparent file format whose markup, or absence of markup, has
been arranged to thwart or discourage subsequent modification by
readers is not Transparent. An image format is not Transparent if
used for any substantial amount of text. A copy that is not
"Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format,
SGML or XML using a publicly available DTD, and standard-conforming
simple HTML, PostScript or PDF designed for human modification.
Examples of transparent image formats include PNG, XCF and JPG.
Opaque formats include proprietary formats that can be read and
edited only by proprietary word processors, SGML or XML for which
the DTD and/or processing tools are not generally available, and
the machine-generated HTML, PostScript or PDF produced by some word
processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself,
plus such following pages as are needed to hold, legibly, the
material this License requires to appear in the title page. For
works in formats which do not have any title page as such, "Title
Page" means the text near the most prominent appearance of the
work's title, preceding the beginning of the body of the text.
The "publisher" means any person or entity that distributes copies
of the Document to the public.
A section "Entitled XYZ" means a named subunit of the Document
whose title either is precisely XYZ or contains XYZ in parentheses
following text that translates XYZ in another language. (Here XYZ
stands for a specific section name mentioned below, such as
"Acknowledgements", "Dedications", "Endorsements", or "History".)
To "Preserve the Title" of such a section when you modify the
Document means that it remains a section "Entitled XYZ" according
to this definition.
The Document may include Warranty Disclaimers next to the notice
which states that this License applies to the Document. These
Warranty Disclaimers are considered to be included by reference in
this License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and
has no effect on the meaning of this License.
2. VERBATIM COPYING
You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License
applies to the Document are reproduced in all copies, and that you
add no other conditions whatsoever to those of this License. You
may not use technical measures to obstruct or control the reading
or further copying of the copies you make or distribute. However,
you may accept compensation in exchange for copies. If you
distribute a large enough number of copies you must also follow the
conditions in section 3.
You may also lend copies, under the same conditions stated above,
and you may publicly display copies.
3. COPYING IN QUANTITY
If you publish printed copies (or copies in media that commonly
have printed covers) of the Document, numbering more than 100, and
the Document's license notice requires Cover Texts, you must
enclose the copies in covers that carry, clearly and legibly, all
these Cover Texts: Front-Cover Texts on the front cover, and
Back-Cover Texts on the back cover. Both covers must also clearly
and legibly identify you as the publisher of these copies. The
front cover must present the full title with all words of the title
equally prominent and visible. You may add other material on the
covers in addition. Copying with changes limited to the covers, as
long as they preserve the title of the Document and satisfy these
conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto
adjacent pages.
If you publish or distribute Opaque copies of the Document
numbering more than 100, you must either include a machine-readable
Transparent copy along with each Opaque copy, or state in or with
each Opaque copy a computer-network location from which the general
network-using public has access to download using public-standard
network protocols a complete Transparent copy of the Document, free
of added material. If you use the latter option, you must take
reasonably prudent steps, when you begin distribution of Opaque
copies in quantity, to ensure that this Transparent copy will
remain thus accessible at the stated location until at least one
year after the last time you distribute an Opaque copy (directly or
through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of
the Document well before redistributing any large number of copies,
to give them a chance to provide you with an updated version of the
Document.
4. MODIFICATIONS
You may copy and distribute a Modified Version of the Document
under the conditions of sections 2 and 3 above, provided that you
release the Modified Version under precisely this License, with the
Modified Version filling the role of the Document, thus licensing
distribution and modification of the Modified Version to whoever
possesses a copy of it. In addition, you must do these things in
the Modified Version:
A. Use in the Title Page (and on the covers, if any) a title
distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the
History section of the Document). You may use the same title
as a previous version if the original publisher of that
version gives permission.
B. List on the Title Page, as authors, one or more persons or
entities responsible for authorship of the modifications in
the Modified Version, together with at least five of the
principal authors of the Document (all of its principal
authors, if it has fewer than five), unless they release you
from this requirement.
C. State on the Title page the name of the publisher of the
Modified Version, as the publisher.
D. Preserve all the copyright notices of the Document.
E. Add an appropriate copyright notice for your modifications
adjacent to the other copyright notices.
F. Include, immediately after the copyright notices, a license
notice giving the public permission to use the Modified
Version under the terms of this License, in the form shown in
the Addendum below.
G. Preserve in that license notice the full lists of Invariant
Sections and required Cover Texts given in the Document's
license notice.
H. Include an unaltered copy of this License.
I. Preserve the section Entitled "History", Preserve its Title,
and add to it an item stating at least the title, year, new
authors, and publisher of the Modified Version as given on the
Title Page. If there is no section Entitled "History" in the
Document, create one stating the title, year, authors, and
publisher of the Document as given on its Title Page, then add
an item describing the Modified Version as stated in the
previous sentence.
J. Preserve the network location, if any, given in the Document
for public access to a Transparent copy of the Document, and
likewise the network locations given in the Document for
previous versions it was based on. These may be placed in the
"History" section. You may omit a network location for a work
that was published at least four years before the Document
itself, or if the original publisher of the version it refers
to gives permission.
K. For any section Entitled "Acknowledgements" or "Dedications",
Preserve the Title of the section, and preserve in the section
all the substance and tone of each of the contributor
acknowledgements and/or dedications given therein.
L. Preserve all the Invariant Sections of the Document, unaltered
in their text and in their titles. Section numbers or the
equivalent are not considered part of the section titles.
M. Delete any section Entitled "Endorsements". Such a section
may not be included in the Modified Version.
N. Do not retitle any existing section to be Entitled
"Endorsements" or to conflict in title with any Invariant
Section.
O. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no
material copied from the Document, you may at your option designate
some or all of these sections as invariant. To do this, add their
titles to the list of Invariant Sections in the Modified Version's
license notice. These titles must be distinct from any other
section titles.
You may add a section Entitled "Endorsements", provided it contains
nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text
has been approved by an organization as the authoritative
definition of a standard.
You may add a passage of up to five words as a Front-Cover Text,
and a passage of up to 25 words as a Back-Cover Text, to the end of
the list of Cover Texts in the Modified Version. Only one passage
of Front-Cover Text and one of Back-Cover Text may be added by (or
through arrangements made by) any one entity. If the Document
already includes a cover text for the same cover, previously added
by you or by arrangement made by the same entity you are acting on
behalf of, you may not add another; but you may replace the old
one, on explicit permission from the previous publisher that added
the old one.
The author(s) and publisher(s) of the Document do not by this
License give permission to use their names for publicity for or to
assert or imply endorsement of any Modified Version.
5. COMBINING DOCUMENTS
You may combine the Document with other documents released under
this License, under the terms defined in section 4 above for
modified versions, provided that you include in the combination all
of the Invariant Sections of all of the original documents,
unmodified, and list them all as Invariant Sections of your
combined work in its license notice, and that you preserve all
their Warranty Disclaimers.
The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name
but different contents, make the title of each such section unique
by adding at the end of it, in parentheses, the name of the
original author or publisher of that section if known, or else a
unique number. Make the same adjustment to the section titles in
the list of Invariant Sections in the license notice of the
combined work.
In the combination, you must combine any sections Entitled
"History" in the various original documents, forming one section
Entitled "History"; likewise combine any sections Entitled
"Acknowledgements", and any sections Entitled "Dedications". You
must delete all sections Entitled "Endorsements."
6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other
documents released under this License, and replace the individual
copies of this License in the various documents with a single copy
that is included in the collection, provided that you follow the
rules of this License for verbatim copying of each of the documents
in all other respects.
You may extract a single document from such a collection, and
distribute it individually under this License, provided you insert
a copy of this License into the extracted document, and follow this
License in all other respects regarding verbatim copying of that
document.
7. AGGREGATION WITH INDEPENDENT WORKS
A compilation of the Document or its derivatives with other
separate and independent documents or works, in or on a volume of a
storage or distribution medium, is called an "aggregate" if the
copyright resulting from the compilation is not used to limit the
legal rights of the compilation's users beyond what the individual
works permit. When the Document is included in an aggregate, this
License does not apply to the other works in the aggregate which
are not themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half
of the entire aggregate, the Document's Cover Texts may be placed
on covers that bracket the Document within the aggregate, or the
electronic equivalent of covers if the Document is in electronic
form. Otherwise they must appear on printed covers that bracket
the whole aggregate.
8. TRANSLATION
Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section
4. Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections. You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also
include the original English version of this License and the
original versions of those notices and disclaimers. In case of a
disagreement between the translation and the original version of
this License or a notice or disclaimer, the original version will
prevail.
If a section in the Document is Entitled "Acknowledgements",
"Dedications", or "History", the requirement (section 4) to
Preserve its Title (section 1) will typically require changing the
actual title.
9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense, or distribute it is void,
and will automatically terminate your rights under this License.
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the
copyright holder fails to notify you of the violation by some
reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from
that copyright holder, and you cure the violation prior to 30 days
after your receipt of the notice.
Termination of your rights under this section does not terminate
the licenses of parties who have received copies or rights from you
under this License. If your rights have been terminated and not
permanently reinstated, receipt of a copy of some or all of the
same material does not give you any rights to use it.
10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of
the GNU Free Documentation License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns. See
.
Each version of the License is given a distinguishing version
number. If the Document specifies that a particular numbered
version of this License "or any later version" applies to it, you
have the option of following the terms and conditions either of
that specified version or of any later version that has been
published (not as a draft) by the Free Software Foundation. If the
Document does not specify a version number of this License, you may
choose any version ever published (not as a draft) by the Free
Software Foundation. If the Document specifies that a proxy can
decide which future versions of this License can be used, that
proxy's public statement of acceptance of a version permanently
authorizes you to choose that version for the Document.
11. RELICENSING
"Massive Multiauthor Collaboration Site" (or "MMC Site") means any
World Wide Web server that publishes copyrightable works and also
provides prominent facilities for anybody to edit those works. A
public wiki that anybody can edit is an example of such a server.
A "Massive Multiauthor Collaboration" (or "MMC") contained in the
site means any set of copyrightable works thus published on the MMC
site.
"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0
license published by Creative Commons Corporation, a not-for-profit
corporation with a principal place of business in San Francisco,
California, as well as future copyleft versions of that license
published by that same organization.
"Incorporate" means to publish or republish a Document, in whole or
in part, as part of another Document.
An MMC is "eligible for relicensing" if it is licensed under this
License, and if all works that were first published under this
License somewhere other than this MMC, and subsequently
incorporated in whole or in part into the MMC, (1) had no cover
texts or invariant sections, and (2) were thus incorporated prior
to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the
site under CC-BY-SA on the same site at any time before August 1,
2009, provided the MMC is eligible for relicensing.
ADDENDUM: How to use this License for your documents
====================================================
To use this License in a document you have written, include a copy of
the License in the document and put the following copyright and license
notices just after the title page:
Copyright (C) YEAR YOUR NAME.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled ``GNU
Free Documentation License''.
If you have Invariant Sections, Front-Cover Texts and Back-Cover
Texts, replace the "with...Texts." line with this:
with the Invariant Sections being LIST THEIR TITLES, with
the Front-Cover Texts being LIST, and with the Back-Cover Texts
being LIST.
If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
situation.
If your document contains nontrivial examples of program code, we
recommend releasing these examples in parallel under your choice of free
software license, such as the GNU General Public License, to permit
their use in free software.
Index
*****
* Menu:
* %%: Logging. (line 1327)
* %>s: Logging. (line 1431)
* %a: Logging. (line 1330)
* %A: Logging. (line 1369)
* %B: Logging. (line 1372)
* %b: Logging. (line 1375)
* %D: Logging. (line 1379)
* %h: Logging. (line 1382)
* %H: Logging. (line 1385)
* %m: Logging. (line 1411)
* %P: Logging. (line 1418)
* %q: Logging. (line 1421)
* %r: Logging. (line 1425)
* %s: Logging. (line 1428)
* %t: Logging. (line 1434)
* %T: Logging. (line 1458)
* %u: Logging. (line 1468)
* %U: Logging. (line 1471)
* %v: Logging. (line 1475)
* %{FORMAT}t: Logging. (line 1438)
* %{HDR}i: Logging. (line 1388)
* %{HDR}I: Logging. (line 1392)
* %{OBJ}L: Logging. (line 1396)
* %{OBJ}N: Logging. (line 1414)
* %{UNIT}T: Logging. (line 1461)
* -beg, DeleteHeader option: Request Modification.
(line 2339)
* -beg, header matching flag: Rewrite. (line 2497)
* -c: Usage. (line 252)
* -case, DeleteHeader option: Request Modification.
(line 2343)
* -case, header matching flag: Rewrite. (line 2501)
* -contain, DeleteHeader option: Request Modification.
(line 2345)
* -contain, header matching flag: Rewrite. (line 2503)
* -e: Usage. (line 256)
* -end, DeleteHeader option: Request Modification.
(line 2348)
* -end, header matching flag: Rewrite. (line 2506)
* -exact, DeleteHeader option: Request Modification.
(line 2350)
* -exact, header matching flag: Rewrite. (line 2508)
* -F: Usage. (line 262)
* -f: Usage. (line 269)
* -f, poundctl: poundctl options. (line 3449)
* -file, header matching flag: Rewrite. (line 2510)
* -h: Usage. (line 273)
* -h, poundctl: poundctl options. (line 3459)
* -i, poundctl: poundctl options. (line 3453)
* -icase, DeleteHeader option: Request Modification.
(line 2352)
* -icase, header matching flag: Rewrite. (line 2520)
* -j, poundctl: poundctl options. (line 3456)
* -p: Usage. (line 276)
* -pcre, DeleteHeader option: Request Modification.
(line 2354)
* -pcre, header matching flag: Rewrite. (line 2521)
* -perl, DeleteHeader option: Request Modification.
(line 2357)
* -perl, header matching flag: Rewrite. (line 2524)
* -posix, DeleteHeader option: Request Modification.
(line 2359)
* -posix, header matching flag: Rewrite. (line 2526)
* -re, DeleteHeader option: Request Modification.
(line 2362)
* -re, header matching flag: Rewrite. (line 2529)
* -s, poundctl: poundctl options. (line 3462)
* -T, poundctl: poundctl options. (line 3465)
* -t, poundctl: poundctl options. (line 3468)
* -v: Usage. (line 281)
* -V: Usage. (line 292)
* -V, poundctl: poundctl options. (line 3471)
* -v, poundctl: poundctl options. (line 3474)
* -W: Usage. (line 298)
* /etc/services: Listener address. (line 2119)
* 400: Error definitions. (line 2207)
* 401: Error definitions. (line 2212)
* 403: Error definitions. (line 2219)
* 404: Error definitions. (line 2224)
* 405: Error definitions. (line 2228)
* 413: Error definitions. (line 2233)
* 414: Error definitions. (line 2238)
* 500: Error definitions. (line 2243)
* 501: Error definitions. (line 2248)
* 503: Error definitions. (line 2252)
* ACL: ACL definition. (line 1888)
* ACL <1>: Rewrite. (line 2413)
* ACL <2>: Rewrite. (line 2420)
* ACL <3>: Service Selection Statements.
(line 2828)
* ACL <4>: Service Selection Statements.
(line 2835)
* ACME: Service definitions.
(line 2670)
* add: poundctl commands. (line 3441)
* add <1>: Pipelines. (line 3769)
* AddHeader: Request Modification.
(line 2318)
* AddHeader <1>: Service Request and Response Modification.
(line 2954)
* Address: Listener address. (line 2108)
* Address <1>: Backend. (line 3080)
* Alive: Timeouts. (line 2046)
* all, log suppression: Service Logging. (line 3050)
* and: Pipelines. (line 3704)
* and, logical: Service selection. (line 503)
* Anonymise: Logging configuration.
(line 1993)
* Anonymize: Logging configuration.
(line 1994)
* Apsis: Overview. (line 108)
* authentication, basic: Authentication. (line 756)
* backend: Introduction. (line 180)
* Backend: Backend. (line 3064)
* backend, external: Redirects. (line 827)
* backend, regular: Introduction. (line 180)
* backend, special: Redirects. (line 827)
* BackendStats: Proxy Tuning. (line 1773)
* backreference expansion: Request modifications.
(line 635)
* Balancer: Balancer. (line 1129)
* Balancer <1>: Proxy Tuning. (line 1784)
* Balancer <2>: Other Statements. (line 3318)
* balancing: Balancer. (line 1068)
* balancing strategy: Balancer. (line 1076)
* basic authentication: Authentication. (line 756)
* BASIC, session type: Session. (line 3276)
* BasicAuth: Authentication. (line 769)
* BasicAuth <1>: Rewrite. (line 2431)
* BasicAuth <2>: Service Selection Statements.
(line 2846)
* boolean value, configuration file: Lexical structure. (line 1537)
* CAlist: ListenHTTPS. (line 2764)
* case insensitive match, DeleteHeader: Request Modification.
(line 2343)
* case insensitive match, headers: Rewrite. (line 2501)
* case sensitive match, DeleteHeader: Request Modification.
(line 2352)
* case sensitive match, headers: Rewrite. (line 2520)
* Cert: ListenHTTPS. (line 2696)
* Cert <1>: Backend. (line 3136)
* challenge directory, ACME: ACME. (line 966)
* challenges, ACME: ACME. (line 959)
* ChangeOwner: Control socket. (line 2027)
* CheckURL: Listener-specific limits.
(line 2153)
* Ciphers: ListenHTTPS. (line 2743)
* Ciphers <1>: Backend. (line 3141)
* Client: Timeouts. (line 2054)
* Client <1>: Listener-specific limits.
(line 2132)
* ClientCert: ListenHTTPS. (line 2718)
* clterr, log suppression: Service Logging. (line 3042)
* combined, built-in format: Logging. (line 1499)
* combined, request logging: Logging. (line 1303)
* comments, configuration file: Lexical structure. (line 1523)
* compound statement: Syntax. (line 1586)
* conditions, joining: Service selection. (line 478)
* conjunction, implicit: Service selection. (line 478)
* conjunction, logical: Service selection. (line 503)
* ConnTO: Timeouts. (line 2067)
* ConnTO <1>: Backend. (line 3116)
* Control: Control socket. (line 2011)
* control socket: Control socket. (line 2002)
* COOKIE, session type: Session. (line 3291)
* CRLlist: ListenHTTPS. (line 2780)
* custom log format: Logging. (line 1310)
* Daemon: Runtime directives. (line 1694)
* delete: poundctl commands. (line 3437)
* DeleteHeader: Request Modification.
(line 2327)
* DeleteHeader <1>: rewrite response. (line 2644)
* DeleteHeader <2>: Service Request and Response Modification.
(line 2963)
* detailed, built-in format: Logging. (line 1503)
* detailed, request logging: Logging. (line 1307)
* directive: Syntax. (line 1576)
* Disable: ListenHTTPS. (line 2731)
* Disable <1>: Backend. (line 3147)
* disable: poundctl commands. (line 3429)
* disable <1>: poundctl commands. (line 3430)
* disable <2>: poundctl commands. (line 3431)
* Disabled: Backend. (line 3091)
* Disabled <1>: Other Statements. (line 3312)
* disjunction, logical: Service selection. (line 495)
* div: Pipelines. (line 3778)
* dns: Usage. (line 309)
* ECDHcurve: SSL Settings. (line 1851)
* Emergency: Special Backends. (line 3246)
* enable: poundctl commands. (line 3421)
* enable <1>: poundctl commands. (line 3422)
* enable <2>: poundctl commands. (line 3423)
* eq: Pipelines. (line 3728)
* Err400: Error definitions. (line 2193)
* Err401: Error definitions. (line 2193)
* Err403: Error definitions. (line 2193)
* Err404: Error definitions. (line 2193)
* Err413: Error definitions. (line 2193)
* Err414: Error definitions. (line 2193)
* Err500: Error definitions. (line 2193)
* Err501: Error definitions. (line 2193)
* Err503: Error definitions. (line 2193)
* Error: Special Backends. (line 3186)
* ErrorFile: Error definitions. (line 2186)
* escape character: Lexical structure. (line 1541)
* even: Pipelines. (line 3748)
* exact match, DeleteHeader: Request Modification.
(line 2350)
* exact match, headers: Rewrite. (line 2508)
* exists: Pipelines. (line 3765)
* expansion, backreference: Request modifications.
(line 635)
* extended, built-in format: Logging. (line 1491)
* extended, request logging: Logging. (line 1294)
* file lookup, headers: Rewrite. (line 2510)
* ForwardedHeader: Logging configuration.
(line 1966)
* ForwardedHeader <1>: Listener logging. (line 2276)
* ForwardedHeader <2>: Service Logging. (line 2997)
* Frank Schmirler: Overview. (line 108)
* ge: Pipelines. (line 3745)
* Grace: Timeouts. (line 2081)
* Group: Runtime directives. (line 1705)
* gt: Pipelines. (line 3742)
* header: Request Accessors. (line 1672)
* Header: Rewrite. (line 2444)
* Header <1>: rewrite response. (line 2629)
* Header <2>: Service Selection Statements.
(line 2859)
* HEADER, session type: Session. (line 3295)
* HeaderAdd: Request Modification.
(line 2317)
* HeaderAdd <1>: Service Request and Response Modification.
(line 2953)
* HeaderOption: Proxy Tuning. (line 1800)
* HeaderRemove: Request Modification.
(line 2373)
* HeaderRemove <1>: Service Request and Response Modification.
(line 2964)
* HeadRemove: Request Modification.
(line 2374)
* HeadRemove <1>: Service Request and Response Modification.
(line 2965)
* Host: Service selection. (line 390)
* host: Request Accessors. (line 1675)
* Host <1>: Rewrite. (line 2450)
* Host <2>: Service Selection Statements.
(line 2865)
* HTTPS: Backend. (line 3127)
* ID: Session. (line 3299)
* IgnoreCase: Regexp Settings. (line 1874)
* IgnoreCase <1>: Other Statements. (line 3333)
* Include: File inclusion. (line 1906)
* include-dir=DIR: Usage. (line 321)
* IncludeDir: File inclusion. (line 1914)
* index: Pipelines. (line 3714)
* info, log suppression: Service Logging. (line 3030)
* Interleaved weighted round robin balancing: Balancer. (line 1096)
* internal backend: Redirects. (line 827)
* IP address: Lexical structure. (line 1566)
* IP, session type: Session. (line 3271)
* iwrr: Balancer. (line 1136)
* keywords, configuration file: Lexical structure. (line 1527)
* le: Pipelines. (line 3739)
* len: Pipelines. (line 3722)
* LetsEncrypt: ACME. (line 959)
* lexical structure of the configuration file: Lexical structure.
(line 1517)
* list: poundctl commands. (line 3414)
* list <1>: poundctl commands. (line 3415)
* list <2>: poundctl commands. (line 3416)
* list <3>: poundctl commands. (line 3417)
* listener: Introduction. (line 156)
* ListenHTTP: ListenHTTP. (line 2091)
* ListenHTTPS: ListenHTTPS. (line 2681)
* load balancing: Balancer. (line 1068)
* log format, user-defined: Logging. (line 1310)
* LogFacility: Logging. (line 1261)
* LogFacility <1>: Logging configuration.
(line 1931)
* LogFacility <2>: Logging configuration.
(line 1932)
* LogFormat: Logging. (line 1310)
* LogFormat <1>: Logging configuration.
(line 1943)
* logical and: Service selection. (line 503)
* logical and, explicit: Service selection. (line 503)
* logical and, implicit: Service selection. (line 478)
* logical conjunction, explicit: Service selection. (line 503)
* logical disjunction: Service selection. (line 495)
* logical or: Service selection. (line 495)
* LogLevel: Logging. (line 1271)
* LogLevel <1>: Logging configuration.
(line 1949)
* LogLevel <2>: Logging configuration.
(line 1950)
* LogLevel <3>: Listener logging. (line 2264)
* LogLevel <4>: Listener logging. (line 2265)
* LogSuppress: Service Logging. (line 3026)
* LogTag: Logging configuration.
(line 1961)
* lt: Pipelines. (line 3736)
* Match: Service selection. (line 495)
* Match <1>: Rewrite. (line 2546)
* Match <2>: Service Selection Statements.
(line 2917)
* matching rules: Service selection. (line 377)
* matching rules, joining: Service selection. (line 478)
* MaxRequest: Listener-specific limits.
(line 2140)
* MaxURI: Listener-specific limits.
(line 2146)
* Metrics: Special Backends. (line 3222)
* Mode: Control socket. (line 2024)
* mul: Pipelines. (line 3775)
* multiple matching rules: Service selection. (line 478)
* ne: Pipelines. (line 3732)
* no-include-dir: Usage. (line 322)
* NoHTTPS11: ListenHTTPS. (line 2784)
* Not: Rewrite. (line 2540)
* Not <1>: Service Selection Statements.
(line 2911)
* not: Pipelines. (line 3725)
* null, built-in format: Logging. (line 1483)
* null, request logging: Logging. (line 1285)
* numbers, configuration file: Lexical structure. (line 1534)
* O'Sullivan, Rick: Overview. (line 108)
* off: poundctl commands. (line 3432)
* off <1>: poundctl commands. (line 3433)
* off <2>: poundctl commands. (line 3434)
* on: poundctl commands. (line 3424)
* on <1>: poundctl commands. (line 3425)
* on <2>: poundctl commands. (line 3426)
* or: Pipelines. (line 3709)
* or, logical: Service selection. (line 495)
* param: Request Accessors. (line 1669)
* PARAM, session type: Session. (line 3286)
* parenthesized subexpression: Request modifications.
(line 635)
* path: Request Accessors. (line 1663)
* Path: Rewrite. (line 2467)
* Path <1>: Service Selection Statements.
(line 2882)
* PCRE match, DeleteHeader: Request Modification.
(line 2354)
* PCRE match, DeleteHeader <1>: Request Modification.
(line 2357)
* PCRE match, headers: Rewrite. (line 2521)
* PCRE match, headers <1>: Rewrite. (line 2524)
* Perl-compatible regular expression match, DeleteHeader: Request Modification.
(line 2354)
* Perl-compatible regular expression match, DeleteHeader <1>: Request Modification.
(line 2357)
* Perl-compatible regular expression match, headers: Rewrite.
(line 2521)
* Perl-compatible regular expression match, headers <1>: Rewrite.
(line 2524)
* Perl-compatible regular expressions: Regular Expressions.
(line 526)
* PIDFile: Runtime directives. (line 1709)
* port: Request Accessors. (line 1679)
* Port: Listener address. (line 2118)
* Port <1>: Backend. (line 3087)
* posix regular expression match, DeleteHeader: Request Modification.
(line 2359)
* posix regular expression match, headers: Rewrite. (line 2526)
* POSIX regular expressions: Service selection. (line 401)
* pound.cfg: Introduction. (line 140)
* poundctl.tmpl: poundctl template. (line 3487)
* pound_backends: Metric Families. (line 4123)
* pound_backend_requests: Metric Families. (line 4172)
* pound_backend_request_stddev_nanoseconds: Metric Families. (line 4189)
* pound_backend_request_time_avg_nanoseconds: Metric Families.
(line 4181)
* pound_backend_state: Metric Families. (line 4147)
* pound_listener_enabled: Metric Families. (line 4039)
* pound_listener_info: Metric Families. (line 4047)
* pound_service_enabled: Metric Families. (line 4093)
* pound_service_info: Metric Families. (line 4071)
* pound_service_pri: Metric Families. (line 4101)
* POUND_TMPL_PATH: poundctl template. (line 3505)
* pound_workers: Metric Families. (line 4016)
* prefix match, DeleteHeader: Request Modification.
(line 2339)
* prefix match, headers: Rewrite. (line 2497)
* printf: Pipelines. (line 3752)
* Priority: Backend. (line 3100)
* query: Request Accessors. (line 1666)
* Query: Rewrite. (line 2471)
* Query <1>: Service Selection Statements.
(line 2886)
* QueryParam: Rewrite. (line 2476)
* QueryParam <1>: Service Selection Statements.
(line 2891)
* quoted string: Lexical structure. (line 1541)
* random: Balancer. (line 1133)
* redirect: Redirects. (line 832)
* Redirect: Special Backends. (line 3201)
* redirect, log suppression: Service Logging. (line 3038)
* RegexType: Regular Expressions.
(line 531)
* RegexType <1>: Regexp Settings. (line 1857)
* regular backend: Introduction. (line 180)
* regular expression match, DeleteHeader: Request Modification.
(line 2362)
* regular expression match, headers: Rewrite. (line 2529)
* regular expressions, PCRE: Regular Expressions.
(line 526)
* regular expressions, Perl-compatible: Regular Expressions.
(line 526)
* regular expressions, POSIX: Service selection. (line 401)
* regular, built-in format: Logging. (line 1487)
* regular, request logging: Logging. (line 1289)
* request accessor: Request modifications.
(line 678)
* request balancing: Balancer. (line 1068)
* request matching rules: Service selection. (line 377)
* rewrite: Conditional branches.
(line 696)
* Rewrite: Rewrite. (line 2382)
* Rewrite <1>: Service Request and Response Modification.
(line 2976)
* RewriteDestination: Request Modification.
(line 2297)
* RewriteLocation: Response Modification.
(line 2585)
* RFC 7617: Authentication. (line 756)
* Rick O'Sullivan: Overview. (line 108)
* Robert Segall: Overview. (line 108)
* RootJail: Runtime directives. (line 1734)
* Schmirler, Frank: Overview. (line 108)
* search path, templates: poundctl template. (line 3487)
* section: Syntax. (line 1586)
* Segall, Robert: Overview. (line 108)
* ServerName: Backend. (line 3130)
* service: Introduction. (line 162)
* Service definitions: Service definitions.
(line 2659)
* session: Sessions. (line 1158)
* Session: Session. (line 3257)
* SetHeader: Request Modification.
(line 2316)
* SetHeader <1>: rewrite response. (line 2650)
* SetHeader <2>: Service Request and Response Modification.
(line 2952)
* SetPath: Request Modification.
(line 2304)
* SetPath <1>: Service Request and Response Modification.
(line 2940)
* SetQuery: Request Modification.
(line 2307)
* SetQuery <1>: Service Request and Response Modification.
(line 2943)
* SetQueryParam: Request Modification.
(line 2312)
* SetQueryParam <1>: Service Request and Response Modification.
(line 2948)
* SetURL: Request Modification.
(line 2301)
* SetURL <1>: Service Request and Response Modification.
(line 2937)
* simple statement: Syntax. (line 1576)
* Socket: Control socket. (line 2020)
* SocketFrom: Listener address. (line 2123)
* special backend: Redirects. (line 827)
* srverr, log suppression: Service Logging. (line 3046)
* SSLAllowClientRenegotiation: ListenHTTPS. (line 2754)
* SSLEngine: SSL Settings. (line 1847)
* SSLHonorCipherOrder: ListenHTTPS. (line 2748)
* SSLv2: ListenHTTPS. (line 2732)
* SSLv2 <1>: Backend. (line 3148)
* SSLv3: ListenHTTPS. (line 2732)
* SSLv3 <1>: Backend. (line 3148)
* statement, compound: Syntax. (line 1586)
* statement, simple: Syntax. (line 1576)
* strategy, request balancing: Balancer. (line 1076)
* StringMatch: Rewrite. (line 2483)
* StringMatch <1>: rewrite response. (line 2633)
* StringMatch <2>: Service Selection Statements.
(line 2898)
* sub: Pipelines. (line 3772)
* substring match, DeleteHeader: Request Modification.
(line 2345)
* substring match, headers: Rewrite. (line 2503)
* success, log suppression: Service Logging. (line 3034)
* suffix match, DeleteHeader: Request Modification.
(line 2348)
* suffix match, headers: Rewrite. (line 2506)
* Supervisor: Runtime directives. (line 1727)
* template search path: poundctl template. (line 3487)
* Threads: Worker Settings. (line 1763)
* time formats: Time and Date Formats.
(line 4200)
* TimeOut: Timeouts. (line 2061)
* TimeOut <1>: Backend. (line 3112)
* TLSv1: ListenHTTPS. (line 2732)
* TLSv1 <1>: Backend. (line 3148)
* TLSv1_1: ListenHTTPS. (line 2732)
* TLSv1_1 <1>: Backend. (line 3148)
* TLSv1_2: ListenHTTPS. (line 2732)
* TLSv1_2 <1>: Backend. (line 3148)
* TrustedIP: Logging configuration.
(line 1972)
* TrustedIP <1>: Listener logging. (line 2282)
* TrustedIP <2>: Service Logging. (line 3003)
* TTL: Session. (line 3304)
* Type: Session. (line 3267)
* typeof: Pipelines. (line 3761)
* url: Request Accessors. (line 1660)
* URL: Rewrite. (line 2487)
* URL <1>: Service Selection Statements.
(line 2902)
* URL, session type: Session. (line 3281)
* UseBackend: UseBackend. (line 3169)
* User: Runtime directives. (line 1745)
* user database: Authentication. (line 773)
* values, configuration file: Lexical structure. (line 1531)
* VerifyList: ListenHTTPS. (line 2770)
* vhost_combined, built-in format: Logging. (line 1495)
* vhost_combined, request logging: Logging. (line 1299)
* warn-deprecated: Usage. (line 304)
* Weighted random balancing: Balancer. (line 1080)
* WorkerIdleTimeout: Worker model. (line 1250)
* WorkerIdleTimeout <1>: Worker Settings. (line 1759)
* WorkerMaxCount: Worker model. (line 1242)
* WorkerMaxCount <1>: Worker Settings. (line 1755)
* WorkerMinCount: Worker model. (line 1235)
* WorkerMinCount <1>: Worker Settings. (line 1751)
* WSTimeOut: Timeouts. (line 2074)
* WSTimeOut <1>: Backend. (line 3120)
* xHTTP: Listener-specific limits.
(line 2158)