Simple reverse proxy configuration

Networking Static/Dynamic Routing
1

Hello,
All our web frontends run on servers in orange DMZ and have the same name syntax:
bbbb.yyy-zzzzzz.de
ccccc.yyy-zzzzzz.de

But there is a web server in green at IP 172.20.20.219.
At the time we had an port forwarding rule:
all port 7443 >> 172.20.20.219 port 443
That’s OK, but a long http string to input:

https://xxxx.yyy-zzzzzzz.de:7443/aaweb

We thought, that we could simplify this long string to:

https://aaweb.yyyy-zzzzzzz.de

with the help of reverse proxy ngnix or haproxy. Since weeks we tried to configure this, but no success.
We read many wikis and documents but there is more and more confusion.
P.S.: of course we created an A-record for aaaweb at ISP

2

That should be bread and butter for haproxy. How did you try to configure it?

3

thanks,
in /etc/haproxy/haproxy.cfg

> 
> ###
> # main frontend which proxys to the backends
> #####
> frontend www-http
>     bind 80.111.222.333:80   ## fake IP!
> #bind *:443 ssl crt /etc/ssl/cert.pem
> # Redirect HTTP to  HTTPS
> # redirect scheme https code 301 if !{ ssl_fc }
>     mode http
>     use_backend server1 if { hdr(host) -i https://aaweb.yyyy-zzzzz.de }
>     ## use_backend server2 if { hdr(host) -i example2.deanlongstaff.com }
> 
> backend server1
>     server aaweb  172.20.20.219:80
> 
> #backend server2
> #    server wiki 192.168.20.30:80

Have we to create an extra firewall rule ??

4

It is over a year since I’ve played with haproxy so I am a bit vague.

You don’t need extra firewall rules.

You have set up a listener on port 80 for an https header? That doesn’t work. Don’t you want use_backend server1 if { hdr(host) -i -m dom aaweb.yyyy-zzzzz.de } so you pick up on the whole domain.

Note you are redirecting to port 80 so this will give you an port 80 end to end test. Typically you will also have haproxy listening on 443 and inserting the ssl certificate here, then feeding the traffic through to a backend running on port 80. You then don’t bother with SSL on your internal server. You can also get haproxy to redirect incoming 80 to 443 but I can’t remember how.

5

Thank you for advice,
yesterday evening we saw, that service haproxy is NOT running, and that’s why we started from beginning.
First we used this, because it is to understand …
https://ask.linuxmuster.net/t/ipfire-mit-haproxy-als-reverse-proxy/3288
This used an older version of haproxy.
With haproxy -f /etc/haproxy/haproxy.cfg -c we tested the config-file and eliminated the errors. now we have only a warning

[WARNING] (6577) : config : log format ignored for frontend ‘80.111.222.333’ since it has no log address.
Warnings were found.

Now it is possible, to start haproxy service, but there must be an error, because browser said “error 404”
Our haproxy,cfg

##########
# Global #
##########
global
    maxconn 100
    spread-checks 50
    daemon
##    nbproc 4

############
# Defaults #
############
defaults
    maxconn 100
    log global
    mode http
    option dontlognull
    retries 3
#    contimeout 60000
    timeout connect 60000
#    clitimeout 60000
    timeout client 60000
#    srvtimeout 60000
    timeout server 60000

#####################
# Frontend: HTTP-IN #
#####################
frontend 80.111.222.333
    bind *:80
    option logasap
    option httplog
    option httpclose
##ignored    log global
    default_backend sslwebserver

#########################
# Backend: SSLWEBSERVER #
#########################
backend sslwebserver
##    option httplog
    option forwardfor
    option abortonclose
##    log global
    balance roundrobin
    # Server List
    server aaweb.xxx-yyyyyy.de 172.20.20.219:443 check
#    server sslws02 webserver02:443 check
#    server sslws03 webserver03:443 check
6

So you are only binding to port 80? This means you can only use http and not https to address your server in your browser. What is the URL you are using to try to access your server?

7

Tried with bind 443:* too, but the same error 404

8

is an invalid ip so software is not going to interperate this as an ip address.

Also, you don’t have to set up a proxy either.

9

Should be bind *:443 and not bind 443:* and normally you’d have other switches there as well, especially if you are inserting certificates in haproxy.

10

normally, you use a SRV record to point a subdomain.domain.fqdn to a domain.fqdn:12345 (domain + port) to alias a port on a domain with an A or AAAA records set to a sub domain.

11

In haproxy? Not as far as I know, but it is a possible alternative solution.

12

Thanks,
OK - this is a typing error here in forum.
In haproxy.cfg we wrote bind *:443

13

Hello,
you mean a line like this ?

server aaweb.xxx-yyyyyyy.de 172.20.20.219:443 check
14

If you are getting a 404, have you tried packet sniffing - both inbound to IPF and outbound from IPF to your server? Also what do the logs say? Haproxy should generate its own.

15

hello,
the /var/log/haproxy is empty. Don’t know the syntax to activate in haproxy.cfg

16

Probably log global in the defaults section. Google is your friend. perhaps this may help - Introduction to HAProxy Logging.

17

close, but you don’t have to run an HAproxy

What Nginx runs to identify servers is the server_name declaration.

I have a good example of this running on an ubuntu desktop machine that has nginx web pages and webmin. The nginx web I use as my proxy controller by redirection. The way the server works is by name. Usually a copy of bind9 is loaded on the machine, but I forgo that because I have control over rebooting the ipfire instance to force arp/ hostname updates.

Ok, my ipfire domain is .sdak So I wanted a http web at my static assigned green server at 10.65.64.190 on my network that I am going to assign it the address ubuntu.sdak. I also have a webmin Perl/GCI on port 10000 on the same computer that I’m going to host it as webmin.sdak.

So in my default file in the sites-available folder, I have:


server {
	listen 80;
	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

	server_name ubuntu.sdak;

	location / {
		try_files $uri $uri/ =404;
	}

}

I also created a file named webmin in this folder


server {
        listen 80;
        listen 443;
        server_name           webmin.sdak;
   root /var/www/webmin;
      index index.html;
       
         location / {
		try_files $uri $uri/ =404;
	}
}

then I open a terminal and link the webmin site data to sites-enable:

sudo ln -s sites-available/webmin sites-enabled/

Then I navigate to /var/www and copy the folder of ubuntu site as webmin folder

sudo cp -r /var/www/html  /var/www/webmin

Then I go to the new webmin folder, and rename the index file from the sample default file…

cd /var/www/webmin
mv index.nginx-debian.html index.html

Then I edit index.html and put my port redirect

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Refresh" content="0; URL=https://10.65.64.190:10000/" />
</head>
<body>
Should redirect
</body>
</html>

Then in ipfire I set hosts on the same ip of 10.65.64.190:

hosts
hosts1264×432 58 KB

Reboot ipfire and green server.

Then I clear history on a browser on the computer and navigate to either http://webmin.sdak or https://webmin.sdak or http://ubuntu and they go to the correct pages.

The reason why this works is nginx looks at the http/https request and parses the name that points to the server entries.

Same thing as 2 websites, I am just using one as a redirect to a cgi/perl instance instead of continuing at /var/www/webmin. The important thing to do is create the symbol link from sites-available to sites-enabled or the second site will not be active.

If I wanted to add more websites, I would make a new serverlet file in etc/nginx/sites-available, link it to sites-enable, and add the name in “Network => Edit Hosts” inside ipfire to the same ip address on green.

18

Thanks for all advices !
… we tried ngnix before haproxy, but no success and we give up.
too much hours to find the solution.
Sorry,

19

you don’t have to do anything special above how I explained adding websites and names inside ipfire. You just have to clear the browser history if you tried that name before. The only difference between this setup and one in a data centre there is an instance of bind9 that is forwarded to other name servers.This should be simple since there is only one dns to synchronise.

20

Have you tried like this? Couldn’t check if it’s working exactly like this but should be a reasonable path to your solution in my thoughts.

frontend fe_aaweb
   bind :80
   bind :443 ssl crt /etc/ssl/cert.pem alpn h2,http/1.1

   http-request redirect scheme https code 301 if !{ ssl_fc }

   acl is_aaweb_domain hdr(host) -i aaweb.yyyy-zzzzzzz.de
   use_backend be_aaweb if is_aa_web_domain
 
default_backend no_match

backend be_aaweb
   mode http
   http-request set-path /aaweb/%[path]
   server aaweb 172.20.20.219:443 ssl check verify required crt /etc/ssl/cert.pem

backend no_match
  http-request deny deny_status 400

Please note this assumes the backend server to be using the same SSL certificates as HAProxy. So I think you’d need to get a copy of the back end server certificates towards your iPFire instance.

Otherwise you could terminate SSL on HAProxy and forward from the backend HTTP only to your (then downstripped) HTTP-only server. However, in that case you’d need your SSL certificates on the iPFire instance as well.

Don’t know how to handle frontend certificates differently from back end certificates.

Finally, I think you’d need an incoming firewall rule in order to get your HAProxy accessible from the internet.

https_in
https_in1344×81 15.6 KB

Hope that helps.