I’m actually proxying (rouiting, what’s the right term?) only 1 web server.
My actual config is that, and it’s my starting point.
frontend web
mode http
bind *:80
# NOTE: This is a wildcard certicate, used on haproxy AND on ALL web servers
bind *:443 ssl crt /etc/ssl/private/mydomain.tld.pem alpn h2,http/1.1
reqadd X-Forwarded-Proto:\ https
redirect scheme https if !{ ssl_fc }
option forwardfor
acl acl_pihole2 hdr(host) -i pihole2.mydomain.tld
use_backend pihole2 if acl_pihole2
backend pihole2
# Why port 80?
# See https://discourse.haproxy.org/t/whats-the-canonical-way-to-handle-port-80-and-port-443/2903/10?u=realtebo
server web 192.168.1.228:80 check
Now I’d like to start adding more backends.
The next backend I must add is for the openvpn machine. In this machine (IP 192.168.225) there is a lighttpd with 2 services, one for users, one for the admin
https://192.168.1.225 (port 443, automatically)
https://192.168.1.225:943/admin (port 943,manually)
About HAProxy, I cannot simply add
acl acl_openvpn hdr(host) -i openvpn.mydomain.tld
use_backend openvpn if acl_openvpn
and
backend openvpn
server web 192.168.1.225:80 check
as done for the pihole2 (as you can see in the config file above), because in this case I need to pass-trough the SSL.
HAProxy is marvellious but I see 40 tutorials doing things in 50 different ways, and all of them has an asterisk about what this configuration will break… or it too old (<= v1.5 )
I ask you a suggestion about how to start planning the followin config
- preserve the ability to route based on domain name
- pass-throught the ssl to 2 openvpn services
- but still be optionally able to terminate SSL on the proxy; not required, but usefull
- Note I am using a wildacard certificate, so my life is easier. Only one .pem, no need for crt_list
In short
[ x ] http or https://pihole2.mydomain.tld -> http://192.168.1.228:80 [Done]
[ ] http:// or https://openvpnuser.mydomain.tld -> https://192.168.225:443 - [Todo]
[ ] http:// or https://openvpnadmin.mydomain.tld -> https://192.168.225:943 - [Todo]
I’m reading about change from http to tcp mode and inspecting ssl, but I cannot see 2 tutorials with the same commands, structure, idea or goal. I’m a bit lost.