Reverse Proxy to allow VMs to share a IP
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Max Mehl 446d7d94ad
configure to route for ticket system
3 months ago
group_vars add HSTS header before redirection 10 months ago
host_vars configure to route for ticket system 3 months ago
inventory@1d105e09a3 add noris proxy 10 months ago
templates do not throw an error when no tcp_ports defined 7 months ago
.gitmodules initial commit for basic functionality for ports 80 and 443 10 months ago
README.md update docu 7 months ago
ansible.cfg initial commit for basic functionality for ports 80 and 443 10 months ago
playbook.yml reduce max. log time 10 months ago

README.md

Reverse Proxy for VMs

This is a reverse proxy using HAProxy to enable multiple VMs share the same IPv4 and IPv6. At the moment, it only tunnels TCP on port 443 (HTTPS), based on TLS SNI.

Deployment happens via Ansible.

Configuration

A proxied VM still requires a dedicated IPv6. From that, the hostname and the IP of the host the service is hosted on have to be entered in the host_vars of the proxy on the cluster the VM is located on.

Example, e.g. in host_vars/proxy.plutex.fsfeurope.org, proxy the hostname proxytest1.fsfe.org to its IPv6:

webservers:
  proxytest1.fsfe.org: 2a02:16d0:1004:5a00:f5f3::1

VM webserver configuration

The webservers behind this reverse proxy have to be slightly re-configured in order to work properly. That is because we use the proxy protocol to forward requests, and the real originating IP should be displayed correctly in the logs.

Attention: Although the reverse proxy internally forwards port 80 to 443, there is one exception: ACME challenges for Let's Encrypt. For certbot to be able to authenticate, you must not remove the vhost for port 80! However, you can make it absolutely minimal.

Apache

  1. Enable the required module: a2enmod remoteip

  2. In the virtual host config (e.g. /etc/apache2/sites-enabled/000-default.conf), add inside the vhost of port 443:

    RemoteIPProxyProtocol On
    RemoteIPTrustedProxy proxy.plutex.fsfeurope.org
    RemoteIPTrustedProxy proxy.noris.fsfeurope.org
    
  3. In the Apache config, adapt the log format to show the real IP passed by the proxy. You have two options:

    1. Change the default combined LogFormat in apache2.conf:

      - LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
      + LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
      
    2. Add a new LogFormat in apache2.conf...

      LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
      

      and use it in the virtual host config, e.g.:

      - CustomLog /var/log/apache2/yoursite-access.log combined
      + CustomLog /var/log/apache2/yoursite-access.log combined_proxy
      

Nginx

Nginx has the required module included in Debian's default installation.

  1. Modify the following to the virtual host configuration (e.g. /etc/nginx/sites-enabled/default), again the port 443 config:

    -listen [::]:443 ssl ipv6only;
    -listen 443 ssl;
    +listen [::]:443 ssl ipv6only proxy_protocol;
    +listen 443 ssl proxy_protocol;
    
  2. Add in the same configuration:

    set_real_ip_from proxy.plutex.fsfeurope.org;
    set_real_ip_from proxy.noris.fsfeurope.org;
    real_ip_header proxy_protocol;