HI.
On 18.02.21 10:12, spfma.t...@e.mail.fr wrote:
Hi,
I would like to setup a reverse proxy with SSL termination to allow something
like :
https://front1.domain proxying http://back1.otherdomain:8000 (and maybe one day
back2)
https://front2.domain proxying http://back3.otherdomain:5000
>
Common things I already configured using Apache's mod_proxy.
I am not an HAProxy expert, I only used it in tcp mode for simple and efficient
load balancing.
I would suggest to take a look into the following articles.
https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/
https://www.haproxy.com/blog/introduction-to-haproxy-maps/
I have read this very interresting article https://www.haproxy.com/fr/blog/howto-write-apache-proxypass-rules-in-haproxy/
but it seems directives belong to former versions, and I was not able to get the expected result.
>
One of my important use-case is Apache backends hosting WordPress.
There are numerous examples here and there, but I always end with URLs like https://front1.domain/wp-admin
redirected to http://front1.domain:8000/wp-admin or https://back1.otherdomain:8000/wp-admin aso ...
>
I know WP is redirecting to URLs related to it's configured URLs , so I guess some
headers rewriting are required, but I don't know how to do that.
I am looking for a generic way to perform the required rewrites, without depending
on fixed URL patterns. Is it only possible with HAProxy ? Some very old posts
suggested it was not, but there were from around nine years ago.
I have not been able to find answers so far (some search results show appealing
descriptions but sites are not responding) so I am looking for some help here.
Well you will need some pattern that the computer can follow.
For example based on which criteria should a program know what it should to on
the URL?
Request: https://front1.domain/wp-admin
Redirect to http://front1.domain:8000/wp-admin when what happen?
Send request to https://back1.otherdomain:8000/wp-admin when what happen?
I would start with that config
https://github.com/Tyrell66/SoHo/blob/master/haproxy-2020.05.02.cfg
Here a slightly adopted version.
```
frontend http-in
bind *:80
# Prevent DDoS
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }
http-request add-header X-Forwarded-Proto http
redirect scheme https if !{ ssl_fc }
frontend https-in
# /etc/haproxy/certs/ contains both .pem for default and second domain
names.
bind *:443 ...
http-response replace-header Location ^http://(.*)$ https://\1
http-request add-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
capture request header X-Forwarded-For len 15
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
http-request del-header Proxy
## Secure headers
https://blog.devcloud.hosting/securing-haproxy-and-nginx-via-http-headers-54020d460283
## Test your config with https://securityheaders.com/
## and https://observatory.mozilla.org/
http-response set-header X-XSS-Protection 1;mode=block
http-response set-header X-Content-Type-Options nosniff
http-response set-header Referrer-Policy no-referrer-when-downgrade
http-response set-header X-Frame-Options SAMEORIGIN
http-response del-header X-Powered-By
http-response del-header Server
# This line is for HSTS:
http-response set-header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload;"
use_backend %[req.hdr(host),lower,map(hosts.map,be_static)]
backend be_static
server default_static xxx.xxx.xx
backend be_domain1
http-request replace-uri ^/gc/(.*) /guacamole/\1
server host1 192.168.1.13:58080/guacamole/#
...
```
file hosts.map
```
front1.domain be_domain1
front2.domain be_domain2
```
You can also set maps for path and host with ports.
As you can see HAProxy should be able to full fill your requirement as long as
you can
define it for you and the program/Computer ;-)
Maybe this article could also help you to protect the WP installations for
attacks.
https://www.haproxy.com/blog/wordpress-cms-brute-force-protection-with-haproxy/
Thanks
Welcome
Alex