You only need a reverse proxy if you don't have ipv6.
and as not everyone has ipv6 yet (there are even people who will disable ipv6 on their machine…) we'll set up a reverse proxy:
simply install a Haproxy server, either in the hypervisor or in a virtual machine.
it's preferable to install the reverse proxy in a virtual machine or container rather than in the hypervisor, to make backups easier.
in my case, virtual machines and containers have ipv6, so domain names go directly to these machines, no need for a reverse proxy sni for ipv6.
the problem is that I only have one public ipv4 (my ISP's box) and I'm obliged to share this single public ipv4 for all my virtual machines or containers.
it's to enable this cohabitation that I install a reverse proxy sni.
with ipv6, it's simple: all the machines have direct access to the Internet and can be reached directly from the Internet, they're independent and don't have port-sharing problems, so no address translation problems.
Install the `nginx` package available in Debian `apt install nginx` You may need to install the nginx stream module if you haven't already done so: `apt install libnginx-mod-stream`
Only one file to edit: `/etc/nginx/nginx.conf`
What we are interested in in this file are the streams and backends
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
#the streams:
stream {
map $ssl_preread_server_name $name {
ikce.numericore.com stream_backend_ikce.numericore.com;
visio.ikce.numericore.com stream_backend_ikce.numericore.com;
err404.numericore.com stream_backend_err404.numericore.com;
visio.err404.numericore.com stream_backend_err404.numericore.com;
default stream_backend_err404.numericore.com;
}
# the backends:
upstream stream_backend_ikce.numericore.com { server 192.168.1.171:443; }
#default backend:
upstream stream_backend_err404.numericore.com { server 192.168.1.160:443; }
server {
listen 443;
listen [::]:443;
proxy_pass $name;
# Le proxy_protocole ici casse le map plus haut
proxy_protocol on;
# indispensable
ssl_preread on;
}
}
Add the stream and backend blocks before the http block in `/etc/nginx/nginx.conf`
Machines (virtual, containers, or other)
You will also need to modify the nginx files on the machines concerned (in my case, these are the machines ikce.numericore.com and err404.numericore.com)
In err404.numericore.com:
Simply add `proxy_protocol` in the `server` segment and only for port 443 Do not touch port 80 Do not touch ipv6 since, in my case, the machines have public ipv6.
Here is an excerpt from the `/etc/nginx/conf.d/err404.numericore.com.conf` file:
server {
listen 443 ssl http2 proxy_protocol;
listen [::]:443 ssl http2;
server_name err404.numericore.com;
When you modify the nginx configuration file, Yunohost will not be happy and will refuse to update them because they have been modified.
You must do the same for the other virtual machines (ikce.numericore.com in my case).
To obtain the real IP addresses of clients in IPv4 (and not just the reverse proxy IP address):
Here is an excerpt from the `/etc/nginx.conf` file:
http {
real_ip_header proxy_protocol;
real_ip_recursive on;
set_real_ip_from 192.168.1.20;
Replace 192.168.1.20 with the IP address of your reverse proxy SNI.
The box
On the box, you need to redirect ports 80 and 443 to the IP address of the machine hosting the reverse proxy SNI.