Simple reverse proxy configuration

What gets me asking is why the use of HA proxy configuration when this looks like a simple changes in the sites-available after re-reading this:

So they have a nginx site at 172.20.20.219
a hostname xxxx.yyy-zzzzzzz.de is entered into hosts in ipfire

so their default file in sites available should be:


server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name http://xxxx.yyy-zzzzzzz.de;
        location / {
                        try_files $uri $uri/ =404;
                       }
}

There should be a new file created and I would name it aaweb and I would create it by going to the sites-available folder in a terminal as root and cp -p default aaweb

Then I would edit the new file aaweb for the site aaweb.yyyy-zzzzzzz.de


server {
    listen 80;
    server_name         aaweb.yyyy-zzzzzzz.de;
    
    return 301 https://$host$request_uri;
}

server {
    listen              443 ssl;
    server_name         aaweb.yyyy-zzzzzzz.de;
    ssl_certificate    /path/to/aaweb.yyyy-zzzzzzz.de.crt;
    ssl_certificate_key /path/to/aaweb.yyyy-zzzzzzz.de.key;
    root /var/www/html/aaweb;
    index index.html index.htm index.nginx-debian.html;
           location / {
                        try_files $uri $uri/ =404;
                       }
}

Next, I would enable the site aaweb:

sudo ln -s sites-available/aaweb sites-enabled/

Then add aaweb.yyyy-zzzzzzz.de as a host entry in ipfire pointing to 172.20.20.219

Then if aaweb.yyyy-zzzzzzz.de is access http or https then its going to https://aaweb.yyyy-zzzzzzz.de

I think what they wanted to do is two sites at 172.20.20.219 but one is a http and another, a http by what they say.

I think running 172.20.20.219 on GREEN as dedicated webserver isn’t that nice anyway. May be something pre-conditioned like a NAS or such.

Aside of that, your latter nginx solution shall be okay, and I think you are right when you say that solves the problem. :peace_symbol:

Please note I just wanted to suggest an alternative as part of the initial request based on my latter experiences I’ve had with HAProxy, which, BTW, may not be sufficient enough and I’m still testing around on my installations.

I think what they wanted to do is two sites at 172.20.20.219 but one is a http and another, a http by what they say.

I think the inital question was on HTTPS only but due to the haproxy.cfg posted afterwards it may appear as a Port 80 frontend to be designed for a port 443 backend. What indeed may work but I think is not intended.

In haproxy, I think most normal is ports 80/443 front end with port 80 back end so haproxy looks after the certification.

A 443 front and back end to me seems odd in some ways. because it means the back end server the backend server has an encryption overhead then haproxy has to decrypt it and re-encrypt it which seems a awful waste of processing unless you have a requirement to keep everything totally secure like a bank or credit card processing comapny.

1 Like

I reflected a bit on the setup and wonder if that whole thing would work as there are servers hanging in the DMZ which are handled via port forwarding and then there is this server on GREEN via HAProxy.