Starting on a single Raspberry Pi with several servers


#1

Hi All,

Today I started with HAProxy on my Pi at home, read my share of the docs and ventured composing a config.
I feel insecure, especially because I want to keep my SSH access. Therefore I would appreciate any help, and pointers to good resources for help.

My situation:

  • A DSL line with a fixed IPv4 and IPv6, and a router opening certain ports to my Pi
  • A Pi with Debian Jessie up to date and secured with IPTables
  • The Pi serves SSH, Apache (80 & 443), home automation 1 (ports x-z) and 2 (port w), Webmin

I have been advised to use HAProxy to ReverseProxy my home automation server.
I want https://mi_ip/bla/bli specifically go to http://localhost:y/blo/blu.

My questions beforehand:

  1. Ports I don’t mention in the HAProxy config, are they untampered passed on? E.g., will I have full SSH access if I don’t mention the SSH port?
  2. Does HAProxy have any other advantages on a single Pi? Can it enhance performance and security?
  3. Is HAProxy acting before or after IPTables?

I made this draft config file:

listen apache
       mode http
       bind *:443 
       server web localhost

listen home_automation.1  
       mode http
       bind http://*:x/bla/bli
       server server1 http://localhost:y/blo/blu

listen home_automation.2  
       mode tcp
       bind *:z 
       server server2 localhost:p

Apologies if I understand something completely wrong, and thanks for any replies!

Regards,
Paul


#2

Haproxy doesn’t do anything unless you configure it to do so. It isn’t a router!

Possibly yes, maybe it does the opposite for you, it all depends on how you configure it.

Haproxy is an application, iptables is part of the kernel. So iptables/routing/masquerading runs first, and haproxy comes after. Haproxy is an application just like Apache, sshd, mysql or minecraft is.

That’s invalid. You cannot specify any URLs here, if your basic configuration contains “http://” you are doing it wrong. You also have to specify the exact port, at the very least when calling bind. It may be omitted on the server line, in that case it will use the original destination port from the frontend/bind section.

Haproxy can forward TCP (at layer 4) or HTTP traffic.

I would suggest you go through the starter guide:
https://cbonte.github.io/haproxy-dconv/1.6/intro.html

Here is the documentation guide for more specific informations:
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html


#3

Well, I have been studying both a few hours and was left with the questions I had. For a newbie these doc’s are not that easy to understand.

Great, thanks for these clarifications. So I could safely start with

listen apache
       mode http
       bind *:443 
       server web localhost

listen home_automation.1  
       mode http
       bind *:x
       server server1 localhost:y

listen home_automation.2  
       mode tcp
       bind *:z 
       server server2 localhost:p

Then a new question. I just studied the chapter on Using ACLs and fetching samples. Wanting to allow passage only of http://my_url/bli/bla can I add a rule “acl -m dir /bli/bla” to one of the proxies?


#4

Yes, you just have to replace x, y, z and p with actual port numbers.

Do you want to deny everything else or do you want to use that information to decide which backend to choose?


#5

I want to deny everything else.


#6

Is this the proper way?

listen abc
        mode http
        bind *:x
        acl isabc path_end -i /bli/bla
        http-request deny unless isabc
        server server1 localhost:y

#7

Yes, this should do it.