fsfe-system-hackers
/
ip-proxy
14
0
Fork 2
Code Issues Pull Requests Projects Releases Wiki Activity
Reverse Proxy to allow VMs to share a IP
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 Commits
1 Branch
0 Tags
79 KiB
Jinja 100%
 
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Go to file
Linus Sehn fa7a20ab5a
continuous-integration/drone/push Build is passing Details
Fix typo 		2 months ago
group_vars add HSTS header before redirection 2 years ago
host_vars Fix typo 2 months ago
inventory@de8e53f300 bump inventory 6 months ago
templates Passthrough managesieve 3 months ago
.drone.yml adding drone CI for docs sync 5 months ago
.gitmodules initial commit for basic functionality for ports 80 and 443 2 years ago
README.md added docs.fsfe.org badge to the README 5 months ago
ansible.cfg initial commit for basic functionality for ports 80 and 443 2 years ago
playbook.yml reduce max. log time 2 years ago

README.md

Reverse Proxy for VMs

This is a reverse proxy using HAProxy to enable multiple VMs share the same IPv4 and IPv6. At the moment, it only tunnels TCP on port 443 (HTTPS), based on TLS SNI.

Deployment happens via Ansible.

in docs.fsfe.org

Configuration

A proxied VM still requires a dedicated IPv6. From that, the hostname and the IP of the host the service is hosted on have to be entered in the host_vars of the proxy on the cluster the VM is located on.

Example, e.g. in host_vars/proxy.plutex.fsfeurope.org, proxy the hostname proxytest1.fsfe.org to its IPv6:

webservers:
  proxytest1.fsfe.org: 2a02:16d0:1004:5a00:f5f3::1

VM webserver configuration

The webservers behind this reverse proxy have to be slightly re-configured in order to work properly. That is because we use the proxy protocol to forward requests, and the real originating IP should be displayed correctly in the logs.

Attention: Although the reverse proxy internally forwards port 80 to 443, there is one exception: ACME challenges for Let's Encrypt. For certbot to be able to authenticate, you must not remove the vhost for port 80! However, you can make it absolutely minimal.

Apache

  1. Enable the required module: a2enmod remoteip

  2. In the virtual host config (e.g. /etc/apache2/sites-enabled/000-default.conf), add inside the vhost of port 443:

    RemoteIPProxyProtocol On
RemoteIPTrustedProxy proxy.plutex.fsfeurope.org
RemoteIPTrustedProxy proxy.noris.fsfeurope.org

  3. In the Apache config, adapt the log format to show the real IP passed by the proxy. You have two options:

    1. Change the default combined LogFormat in apache2.conf:

      - LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

    2. Add a new LogFormat in apache2.conf...

      LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy

      and use it in the virtual host config, e.g.:

      - CustomLog /var/log/apache2/yoursite-access.log combined
+ CustomLog /var/log/apache2/yoursite-access.log combined_proxy

Nginx

Nginx has the required module included in Debian's default installation.

  1. Modify the following to the virtual host configuration (e.g. /etc/nginx/sites-enabled/default), again the port 443 config:

    -listen [::]:443 ssl ipv6only;
-listen 443 ssl;
+listen [::]:443 ssl ipv6only proxy_protocol;
+listen 443 ssl proxy_protocol;

  2. Add in the same configuration:

    set_real_ip_from proxy.plutex.fsfeurope.org;
set_real_ip_from proxy.noris.fsfeurope.org;
real_ip_header proxy_protocol;