How It Works (Reverse Proxy)
Calling
The reverse proxy forms the interface between the external requests and the internal server (API, WebApp, OAuth, WebDAV).
Forwarding
As shown in the infrastructure overview, the reverse proxy handles all forwarding to the internal network. The following accesses are important in this case:
URL
|
Internal server
|
Info
|
---|---|---|
WebApp (:8080) | All calls for the root path must be forwarded to the WebApp server | |
API (:8080) | All /api calls must be forwarded to the API server | |
OAuth (:8080) | All /oauth calls must be forwarded to the OAuth server | |
WebDAV (:8090) | All /webdav calls must be forwarded to the WebDAV proxy |
It is also important to ensure that the host header is not replaced by the reverse proxy.
Multi-Client Capabilities
The mapping of multi-client capabilities is implemented in the reverse proxy using the directive. Since a certificate is required for each client, we recommend creating a VirtualHost accordingly in each case.
Configuration file (reverse proxy) - HAProxy Linux
[root@localhost]# cat /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 100000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#---------------------------------------------------------------------
# Defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option redispatch
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 100000
#---------------------------------------------------------------------
# Frontend HTTP and HTTPS
#---------------------------------------------------------------------
frontend http_https
mode http
bind :443 ssl crt /etc/pki/tls/private/sds_haproxy.pem
bind :80
redirect scheme https code 301 if !{ ssl_fc }
# X-Forwarded-Proto for SSL offloading
http-request set-header X-Forwarded-Proto https
# HSTS
http-response set-header Strict-Transport-Security max-age=31536000
# X-Content-Type-Options
http-response set-header X-Content-Type-Options nosniff
# X-Xss-Protection (for Chrome, Safari, IE)
http-response set-header X-Xss-Protection 1;\ mode=block
# X-Frame-Options (DENY or SELF)
http-response set-header X-Frame-Options DENY
# X-Robots-Tag to not index our site
http-response set-header X-Robots-Tag none
# Delete Server Header
http-response del-header Server
# Stats page disabled if not needed
#stats enable
#stats auth haadmin:haadmin
#stats uri /hastats
#stats refresh 10s
acl api_acl path_beg -i /api
acl oauth_acl path_beg -i /oauth
acl webdav_acl path_beg -i /webdav
use_backend api_server if api_acl
use_backend oauth_server if oauth_acl
use_backend webdav_server if webdav_acl
default_backend webui_server
#---------------------------------------------------------------------
# Backend API
#---------------------------------------------------------------------
backend api_server
balance leastconn
cookie APISERVER insert indirect nocache
http-check disable-on-404
http-check expect status 200
option httpchk GET /api/v4/public/time
server api01 api-server:8080 cookie api01 check inter 5s fastinter 1s downinter 3s rise 2 fall 5
#---------------------------------------------------------------------
# Backend Oauth
#---------------------------------------------------------------------
backend oauth_server
balance roundrobin
http-check disable-on-404
http-check expect status 200
option httpchk GET /oauth/ping
server oauth01 oauth-server:8080 check inter 5s fastinter 1s downinter 3s rise 2 fall 5
#---------------------------------------------------------------------
# Backend WebDAV
#---------------------------------------------------------------------
backend webdav_server
balance leastconn
cookie WEBDAVSERVER insert indirect nocache
http-check disable-on-404
http-check expect status 401
option httpchk GET /webdav
server webdav01 webdav-server:8090 cookie webdav01 check inter 5s fastinter 1s downinter 3s rise 2 fall 5
#---------------------------------------------------------------------
# Backend WebUI
#---------------------------------------------------------------------
backend webui_server
balance roundrobin
http-check disable-on-404
http-check expect status 200
option httpchk GET /version
server webui01 webui-server:8080 check inter 5s fastinter 1s downinter 3s rise 2 fall 5
Comments
0 comments
Article is closed for comments.