Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add example HAProxy config to reverse proxy documentation #187

Open
lilotter45 opened this issue Oct 21, 2023 · 1 comment · May be fixed by #215
Open

Add example HAProxy config to reverse proxy documentation #187

lilotter45 opened this issue Oct 21, 2023 · 1 comment · May be fixed by #215
Labels
documentation Improvements or additions to documentation needs testing

Comments

@lilotter45
Copy link

lilotter45 commented Oct 21, 2023
edited
Loading

Description

HAProxy is my preferred reverse proxy and while maybe not quite as popular with the self-hosting community as some of the other options that have already been documented, it is a solid option and there may be others that would like to use it.

I have an example configuration that I have been using for the past several months that could be included in the reverse proxy documentation, if you think it would be beneficial. If so, let me know how you would like to proceed. It handles ssl termination for the Snikket web traffic and properly routes the acme challenge traffic to snikket-cert-manager without upgrading to https.

Example config

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GC>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  forwardfor
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

# Define a frontend to handle incoming http(s) traffic
frontend http
        # Define a specific IP address to bind or use * for all interfaces
        # Include both ports 80 and 443
        # For port 443 include the path to the certificate(s). This can be a directory, as below, that contains
        # one or more SSL certificates, or it can be the path to a specific file. 
        # This config expects the cert and key to be in a single file (if using certbot you must manually concatenate the
        # privkey.pem and fullchain.pem files into a single file, or script this). As of version 2.2 HAProxy will also 
        # support separate cert and key files
        bind *:443 ssl crt /etc/haproxy/certs
        bind *:80

        # Check for letsencrypt request
        acl acl_acme_challenge path_beg /.well-known/acme-challenge/
        acl https ssl_fc
        # Upgrade to https, if not acl_acme_challenge
        redirect scheme https code 301 if !{ ssl_fc } !acl_acme_challenge
        # Redirect www subdomain to root (optional, CNAME or A record for www must be defined on your name server)
        http-request redirect prefix http://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }

        # Set headers
        http-request del-header X-Forwarded-For
        http-request set-header X-Forwarded-Proto https
        http-request set-header X-Forwarded-Port 443

        # ACLs to identify Snikket subdomains
        acl acl_snikket         hdr_end(host) -i yourdomain.com
        acl acl_snikket_share   hdr_end(host) -i share.yourdomain.com
        acl acl_snikket_groups  hdr_end(host) -i groups.yourdomain.com

        # Rules to route Snikket traffic to the proper backend
        use_backend snikket-certs if acl_acme_challenge
        use_backend snikket if acl_snikket
        use_backend snikket if acl_snikket_share
        use_backend snikket if acl_snikket_groups

# Backends
backend snikket-certs
        server snikket-cert-manager 127.0.0.1:5080

backend snikket
        http-request set-header Host %[req.hdr(Host)]
        http-request set-header X-Forwarded-For %[src]
        server snikket-server 127.0.0.1:5443 check ssl verify none
        # change "ssl verify none" to "ssl verify all" if target server is not localhost/127.0.0.1
@mwild1
Copy link
Member

mwild1 commented Dec 22, 2023

I use haproxy myself for a bunch of stuff (including for the hosted Snikket platform), and love it. Thanks for putting a config together, I'll get it merged into the docs next time I do an update (which should be soon, we're wrapping up a release).

@mwild1 mwild1 added the documentation Improvements or additions to documentation label Dec 22, 2023
mwild1 added a commit that referenced this issue Jan 18, 2024
@mwild1
docs: reverse_proxy: Add haproxy configuration example
c699356 
Thanks to @lilotter45 - fixes #187.
@mwild1 mwild1 linked a pull request Jan 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation needs testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: reverse_proxy: Add haproxy configuration example snikket-im/snikket-server
2 participants
@mwild1 @lilotter45