Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

Optimization recommendations

by |Published

i have an home server with an webserver on it. so because i dont have an public ip i had to use a vps with ha proxy. i wanted to use ssl on backend, so there has to be the tcp mode. but in tcp mode you will loose the real client ip. so i configured the haproxy with send-proxy-v2 on the vps.

on the home server i have an apache server with nginx. so nginx will acccept proxys.

here is my haproxy config:

    global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

defaults
    mode                    tcp

frontend webserver
    bind *:80
    bind *:443
    option tcplog
    option tcpka
    default_backend webserver

backend webserver
    mode tcp
    option ssl-hello-chk
    server web01 xxx.xxx.xxx.xxx send-proxy-v2

here my nginx config on my homeserver:

include "/etc/nginx/plesk.conf.d/ip_default/*.conf";

set_real_ip_from xxx.xxx.xxx.xxx; # HAproxy external IP
real_ip_header proxy_protocol; # proxy_protocol needed
real_ip_recursive on;

server {
        listen 192.168.0.74:443 ssl proxy_protocol;

        ssl_certificate             /opt/psa/var/certificates/cert3miK1Td;
        ssl_certificate_key         /opt/psa/var/certificates/cert3miK1Td;

        location ^~ /plesk-site-preview/ {
                proxy_pass http://127.0.0.1:8880;
                proxy_set_header Host               plesk-site-preview.local;
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
                proxy_cookie_domain plesk-site-preview.local $host;
                access_log off;
        }

        location / {
                proxy_pass https://192.168.0.74:7081;
                proxy_hide_header upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

ssl with these config works and in the logs the real ip will be transfered.

the next thing im using is fail2ban. i wanted to ban the ips on the vps. so they even cant reach my homeserver, so i did tis:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -N f2b-<name>'
              sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -A f2b-<name> -j <returntype>'
              sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>'

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>'
             sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<actionflush>'
             sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -X f2b-<name>'

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ t]'"

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = sshpass -psshpass ssh -o StrictHostKeyChecking=no root@xxx.xxx.xxx.xxx -psshport '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'

[Init]

my home-webserver can only acces my haproxy. so its not even public then.

the last two things are to update my haproxy config with my new ip, if there is an ip update. since plesk is overwriting my nginx config i have to write an script, it will overwrite it with my config.

my question is. what do you think about these configs. do you have any better recomendations?

ty:)

You may also like