i have an home server with an webserver on it. so because i dont have an public ip i had to use a vps with ha proxy. i wanted to use ssl on backend, so there has to be the tcp mode. but in tcp mode you will loose the real client ip. so i configured the haproxy with send-proxy-v2 on the vps.
on the home server i have an apache server with nginx. so nginx will acccept proxys.
here is my haproxy config:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
defaults
mode tcp
frontend webserver
bind *:80
bind *:443
option tcplog
option tcpka
default_backend webserver
backend webserver
mode tcp
option ssl-hello-chk
server web01 xxx.xxx.xxx.xxx send-proxy-v2
here my nginx config on my homeserver:
include "/etc/nginx/plesk.conf.d/ip_default/*.conf";
set_real_ip_from xxx.xxx.xxx.xxx; # HAproxy external IP
real_ip_header proxy_protocol; # proxy_protocol needed
real_ip_recursive on;
server {
listen 192.168.0.74:443 ssl proxy_protocol;
ssl_certificate /opt/psa/var/certificates/cert3miK1Td;
ssl_certificate_key /opt/psa/var/certificates/cert3miK1Td;
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
location / {
proxy_pass https://192.168.0.74:7081;
proxy_hide_header upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
ssl with these config works and in the logs the real ip will be transfered.
the next thing im using is fail2ban. i wanted to ban the ips on the vps. so they even cant reach my homeserver, so i did tis:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -N f2b-<name>'
sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -A f2b-<name> -j <returntype>'
sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>'
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>'
sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<actionflush>'
sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -X f2b-<name>'
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ t]'"
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'
[Init]
my home-webserver can only acces my haproxy. so its not even public then.
the last two things are to update my haproxy config with my new ip, if there is an ip update. since plesk is overwriting my nginx config i have to write an script, it will overwrite it with my config.
my question is. what do you think about these configs. do you have any better recomendations?
ty:)