HI.

On 18.02.21 10:12, spfma.t...@e.mail.fr wrote:
Hi,
I would like to setup a reverse proxy with SSL termination to allow something 
like :

https://front1.domain proxying http://back1.otherdomain:8000 (and maybe one day 
back2)
https://front2.domain proxying http://back3.otherdomain:5000
>
Common things I already configured using Apache's mod_proxy.
I am not an HAProxy expert, I only used it in tcp mode for simple and efficient 
load balancing.

I would suggest to take a look into the following articles.

https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/
https://www.haproxy.com/blog/introduction-to-haproxy-maps/

I have read this very interresting article https://www.haproxy.com/fr/blog/howto-write-apache-proxypass-rules-in-haproxy/ but it seems directives belong to former versions, and I was not able to get the expected result.
>
One of my important use-case is Apache backends hosting WordPress.
There are numerous examples here and there, but I always end with URLs like https://front1.domain/wp-admin redirected to http://front1.domain:8000/wp-admin or https://back1.otherdomain:8000/wp-admin aso ...
>
I know WP is redirecting to URLs related to it's configured URLs , so I guess some headers rewriting are required, but I don't know how to do that. I am looking for a generic way to perform the required rewrites, without depending on fixed URL patterns. Is it only possible with HAProxy ? Some very old posts suggested it was not, but there were from around nine years ago. I have not been able to find answers so far (some search results show appealing descriptions but sites are not responding) so I am looking for some help here.

Well you will need some pattern that the computer can follow.

For example based on which criteria should a program know what it should to on 
the URL?

Request: https://front1.domain/wp-admin

Redirect to http://front1.domain:8000/wp-admin when what happen?
Send request to https://back1.otherdomain:8000/wp-admin when what happen?

I would start with that config 
https://github.com/Tyrell66/SoHo/blob/master/haproxy-2020.05.02.cfg

Here a slightly adopted version.


```
frontend http-in
      bind *:80

        # Prevent DDoS
        stick-table type ip size 100k expire 30s store http_req_rate(10s)
        http-request track-sc0 src
        http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }

      http-request add-header X-Forwarded-Proto http
      redirect scheme https if !{ ssl_fc }


frontend https-in
        # /etc/haproxy/certs/ contains both .pem for default and second domain 
names.
  bind *:443 ...

        http-response replace-header Location ^http://(.*)$     https://\1
        http-request add-header X-Forwarded-Proto https

        http-request set-header X-Forwarded-Proto https
        http-request set-header X-Forwarded-Port 443
        capture request header X-Forwarded-For len 15

# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
  http-request del-header Proxy

        ## Secure headers 
https://blog.devcloud.hosting/securing-haproxy-and-nginx-via-http-headers-54020d460283
        ## Test your config with https://securityheaders.com/
        ## and https://observatory.mozilla.org/

        http-response set-header X-XSS-Protection 1;mode=block
        http-response set-header X-Content-Type-Options nosniff
        http-response set-header Referrer-Policy no-referrer-when-downgrade
        http-response set-header X-Frame-Options SAMEORIGIN
        http-response del-header X-Powered-By
        http-response del-header Server


  # This line is for HSTS:
  http-response set-header Strict-Transport-Security "max-age=63072000; 
includeSubdomains; preload;"


      use_backend %[req.hdr(host),lower,map(hosts.map,be_static)]

backend be_static
  server default_static xxx.xxx.xx

backend be_domain1
        http-request replace-uri ^/gc/(.*) /guacamole/\1
      server host1              192.168.1.13:58080/guacamole/#

...

```

file hosts.map
```
front1.domain be_domain1
front2.domain be_domain2

```

You can also set maps for path and host with ports.
As you can see HAProxy should be able to full fill your requirement as long as 
you can
define it for you and the program/Computer ;-)

Maybe this article could also help you to protect the WP installations for 
attacks.
https://www.haproxy.com/blog/wordpress-cms-brute-force-protection-with-haproxy/

Thanks

Welcome

Alex

Reply via email to