Table of Contents

You only need a reverse proxy if you don't have ipv6.
and as not everyone has ipv6 yet (there are even people who will disable ipv6 on their machine…) we'll set up a reverse proxy:

simply install a Haproxy server, either in the hypervisor or in a virtual machine.

it's preferable to install the reverse proxy in a virtual machine or container rather than in the hypervisor, to make backups easier.

and in my case I chose to install the reverse proxy in the same machine that does authoritative domain name server

in my case, virtual machines and containers have ipv6, so domain names go directly to these machines, no need for a reverse proxy sni for ipv6.
the problem is that I only have one public ipv4 (my ISP's box) and I'm obliged to share this single public ipv4 for all my virtual machines or containers.
it's to enable this cohabitation that I install a reverse proxy sni.

with ipv6, it's simple: all the machines have direct access to the Internet and can be reached directly from the Internet, they're independent and don't have port-sharing problems, so no address translation problems.

ipv4_vs_ipv6.svg

Reverse proxy sni

Install the haproxy package available in Debian apt install haproxy.

Only one file to edit:

/etc/haproy/haproxy.cfg: 

global
        log /dev/log    local0 info
        log /dev/log    local1 info
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
 
 
        # Default SSL material locations
       ca-base /etc/ssl/certs
       crt-base /etc/ssl/private
 
        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
defaults
        log     global
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
 
 
############################
 
frontend http_in
        mode http
        option httplog
        bind [::]:80 v6only
        bind *:80
        option forwardfor
        http-request add-header X-Forwarded-For %[src]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
 
        acl host_err404 hdr(host) -i err404.numericore.com
        acl host_err404 hdr(host) -i visio.err404.numericore.com
 
        acl host_planet hdr(host) -i ikce.numericore.com
 
 
        use_backend http_err404 if host_err404
        use_backend http_planet if host_ikce
 
 
backend http_err404
        mode http
        option forwardfor
        balance roundrobin
        server server1 ct-err404:80
 
backend http_ikce
        mode http
        option forwardfor
        balance roundrobin
        server server1 ct-ikce:80
 
 
#######################
frontend tcp_https
        mode tcp
        option tcplog
        bind [::]:443 v6only
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if tls
 
 
        acl host_err404 req.ssl_sni -i err404.numericore.com
        acl host_err404 req.ssl_sni -i visio.err404.numericore.com
 
        acl host_planet req.ssl_sni -i ikce.numericore.com
 
 
        use_backend tcp_err404 if host_err404
        use_backend tcp_planet if host_ikce
 
 
backend tcp_err404
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server err404 ct-err404:443 send-proxy check
 
backend tcp_ikce
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server planet ct-ikce:443 send-proxy check
 
############### 
frontend port1935
  mode tcp
  option tcplog
  bind [::]:1935 v6only
  bind *:1935
  acl err404_1935 req.ssl_sni -i err404.numericore.com
 
 
  use_backend err404_1935 if err404_1935
 
 
backend err404_1935
  mode tcp
  balance roundrobin
  server err404 ct-err404:1935 send-proxy

Machines (virtual, containers, or other)

You will also need to modify the nginx files on the machines concerned (in my case, these are the machines ikce.numericore.com and err404.numericore.com)

In err404.numericore.com:

Simply add `proxy_protocol` in the `server` segment and only for port 443 Do not touch port 80 Do not touch ipv6 since, in my case, the machines have public ipv6.

Here is an excerpt from the `/etc/nginx/conf.d/err404.numericore.com.conf` file: 

server {
    listen 443 ssl http2 proxy_protocol;
    listen [::]:443 ssl http2;                            
    server_name err404.numericore.com;

When you modify the nginx configuration file, Yunohost will not be happy and will refuse to update them because they have been modified.

You must do the same for the other virtual machines (ikce.numericore.com in my case).

To obtain the real IP addresses of clients in IPv4 (and not just the reverse proxy IP address):
Here is an excerpt from the `/etc/nginx.conf` file: 

http {
    real_ip_header proxy_protocol;
    real_ip_recursive on;
    set_real_ip_from 192.168.1.20;

Replace 192.168.1.20 with the IP address of your reverse proxy SNI.

The box

On the box, you need to redirect ports 80 and 443 to the IP address of the machine hosting the reverse proxy SNI.