## Minimal sample pound.cfg
##
## see pound(8) for details
######################################################################
## global options:

User		"pound"
Group		"pound"
#RootJail	"/chroot/pound"

# Have Pound run in the foreground (if 0) or as a daemon (if 1)
Daemon		0

# Specify the log facility to use. value (default: daemon) must be one of the
# symbolic facility names defined in syslog.h. This facility shall be used
# for logging. Using a - for the facility name causes Pound to log to
# stdout/stderr.
LogFacility	-

## Logging: (goes to syslog by default)
##	0	no logging
##	1	normal
##	2	extended
##	3	Apache-style (common log format)
LogLevel	3

## check backend every X secs:
Alive		30

## use hardware-accelleration card supported by openssl(1):
#SSLEngine	"<hw>"

# poundctl control socket
Control		"/var/run/pound/poundctl.socket"
######################################################################
## listen, redirect and ... to:

ListenHTTP
	# 0.0.0.0 below should be your public IP address
	Address		0.0.0.0
	Port		80

	# This part makes sure you redirect all HTTP traffic to HTTPS
	Service
		HeadRequire "Host: www.yourdomain.com"
		Redirect 301 "https://www.yourdomain.com"
	End
End

# As per https://milos.jakovljevic.me/howto-lets-encrypt-ssl-with-varnish-and-pound-on-ubuntu-server/
ListenHTTPS
	HeadRemove	"X-Forwarded-Proto"
	AddHeader	"X-Forwarded-Proto: https"
	Address		0.0.0.0
	Port		443
	Cert		"/etc/pound/certs/certificate.pem"

	# http://permalink.gmane.org/gmane.comp.web.pound.general/7489
	Disable	SSLv2
	Disable	SSLv3
	SSLAllowClientRenegotiation	0
	SSLHonorCipherOrder		1

	# We want to get an A on the Qualys SSL Test (https://www.ssllabs.com/ssltest)
	# https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/
	Ciphers	"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"

	# Ensure pound doesn't rewrite location headers, as this can cause a redirect loop
	RewriteLocation		0

	Service
		BackEnd
			# your backend service name (if using docker-compose) or container name or ip
			Address		web
			Port		80
			# Wordpress admin-ajax may fail if timeout is low
			# 300s is probably too much, feel free to experiment.
			TimeOut		300
		End
	End
End

# Get pound to do our hostname redirects (whether they come in as HTTP or HTTPS)
# Service
# 	HeadRequire "^Host: yourdomain.com$"
# 	Redirect 301 "https://www.yourdomain.com"
# End