Table of Contents
You only need a reverse proxy if you don't have ipv6.
and as not everyone has ipv6 yet (there are even people who will disable ipv6 on their machine…) we'll set up a reverse proxy:
simply install a Haproxy server, either in the hypervisor or in a virtual machine.
it's preferable to install the reverse proxy in a virtual machine or container rather than in the hypervisor, to make backups easier.
in my case, virtual machines and containers have ipv6, so domain names go directly to these machines, no need for a reverse proxy sni for ipv6.
the problem is that I only have one public ipv4 (my ISP's box) and I'm obliged to share this single public ipv4 for all my virtual machines or containers.
it's to enable this cohabitation that I install a reverse proxy sni.
with ipv6, it's simple: all the machines have direct access to the Internet and can be reached directly from the Internet, they're independent and don't have port-sharing problems, so no address translation problems.
Reverse proxy sni
Install the haproxy package available in Debian apt install haproxy.
Only one file to edit:
/etc/haproy/haproxy.cfg:
global
log /dev/log local0 info
log /dev/log local1 info
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
############################
frontend http_in
mode http
option httplog
bind [::]:80 v6only
bind *:80
option forwardfor
http-request add-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl host_err404 hdr(host) -i err404.numericore.com
acl host_err404 hdr(host) -i visio.err404.numericore.com
acl host_planet hdr(host) -i ikce.numericore.com
use_backend http_err404 if host_err404
use_backend http_planet if host_ikce
backend http_err404
mode http
option forwardfor
balance roundrobin
server server1 ct-err404:80
backend http_ikce
mode http
option forwardfor
balance roundrobin
server server1 ct-ikce:80
#######################
frontend tcp_https
mode tcp
option tcplog
bind [::]:443 v6only
bind *:443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl host_err404 req.ssl_sni -i err404.numericore.com
acl host_err404 req.ssl_sni -i visio.err404.numericore.com
acl host_planet req.ssl_sni -i ikce.numericore.com
use_backend tcp_err404 if host_err404
use_backend tcp_planet if host_ikce
backend tcp_err404
mode tcp
option ssl-hello-chk
balance roundrobin
server err404 ct-err404:443 send-proxy check
backend tcp_ikce
mode tcp
option ssl-hello-chk
balance roundrobin
server planet ct-ikce:443 send-proxy check
###############
frontend port1935
mode tcp
option tcplog
bind [::]:1935 v6only
bind *:1935
acl err404_1935 req.ssl_sni -i err404.numericore.com
use_backend err404_1935 if err404_1935
backend err404_1935
mode tcp
balance roundrobin
server err404 ct-err404:1935 send-proxy
bind [::]:80 v6onlybind *:80to listen in ipv4 AND ipv6- I added an example for 1935 port
ct-err404andct-ikceare my conteneurs's names, resolved by my own resolver, you can write your ip directly if you want.
Machines (virtual, containers, or other)
You will also need to modify the nginx files on the machines concerned (in my case, these are the machines ikce.numericore.com and err404.numericore.com)
In err404.numericore.com:
Simply add `proxy_protocol` in the `server` segment and only for port 443 Do not touch port 80 Do not touch ipv6 since, in my case, the machines have public ipv6.
Here is an excerpt from the `/etc/nginx/conf.d/err404.numericore.com.conf` file:
server {
listen 443 ssl http2 proxy_protocol;
listen [::]:443 ssl http2;
server_name err404.numericore.com;
When you modify the nginx configuration file, Yunohost will not be happy and will refuse to update them because they have been modified.
You must do the same for the other virtual machines (ikce.numericore.com in my case).
To obtain the real IP addresses of clients in IPv4 (and not just the reverse proxy IP address):
Here is an excerpt from the `/etc/nginx.conf` file:
http {
real_ip_header proxy_protocol;
real_ip_recursive on;
set_real_ip_from 192.168.1.20;
Replace 192.168.1.20 with the IP address of your reverse proxy SNI.
The box
On the box, you need to redirect ports 80 and 443 to the IP address of the machine hosting the reverse proxy SNI.