HAProxy for HTTP and HTTPS (except HTTPS UDP)

2024-08-07 14:25:14 +00:00 · 2024-08-07 14:25:14 +00:00 · dc2fc245c9
commit dc2fc245c9
parent ed50f66d9a
4 changed files with 71 additions and 5 deletions
--- a/4
+++ b/4
@ -8,8 +8,8 @@ ORIGINAL_DESTINATION_IP="10.0.0.104"
 FORWARD_TO_IP="10.0.100.10"
 RULES=(
    "25:25"
-    "80:80"
-    "443:443"
+    "53:53"
+    "53:53/udp"
    "2222:2222"
 )

--- a/2
+++ b/2
@ -9,8 +9,6 @@ FORWARD_TO_IP="10.0.100.20"
 RULES=(
    "53:5300"
    "53:5300/udp"
-    "80:8000"
-    "443:4430"
    "443:4430/udp"
    "22:22"
    "3478:3478"
--- a/README.md
+++ b/README.md
@ -1,7 +1,14 @@
-# NAT Rules for the Fixed IPv4 Provider
+# HAProxy Rules for the Fixed IPv4 Provider

 In case I don't have a fixed IPv4 address, I use these rules to route the services through a fixed IPv4 provider like Oracle Cloud.

+## Pre-Requesites
+
+* Install HAProxy on the server : `sudo dnf install -y haproxy`
+* Copy the configuration file: `sudo cp /home/opc/bin/NAT/haproxy.cfg /etc/haproxy/haproxy.cfg`
+* Enable the service: `sudo systemctl enable --now haproxy`
+* Open the ad-hoc ports (bound from haproxy.cfg) in the firewall, for instance: `sudo firewall-cmd --add-port=80/tcp --permanent`
+
 ## IP Addresses in Use

 | Public IP (Oracle) | Internal IP (Oracle) | Wireguard client IP | Description |
--- a/haproxy.cfg
+++ b/haproxy.cfg
@ -0,0 +1,61 @@
+global
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+defaults
+    option tcplog
+    mode                    tcp
+    log                     global
+    option http-server-close
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+
+# HTTPS
+frontend https
+    bind :443
+
+    acl dst_fastlight    dst            10.0.0.104
+    acl dst_norrsken     dst            10.0.0.143
+
+    use_backend https_fastlight if dst_fastlight
+    use_backend https_norrsken if dst_norrsken
+
+backend https_fastlight
+    balance     roundrobin
+    server      fastlight      10.0.100.10:443      send-proxy
+
+backend https_norrsken
+    balance     roundrobin
+    server      norrsken       10.0.100.20:4430     send-proxy
+
+# HTTP
+frontend http
+    bind :80
+
+    acl dst_fastlight    dst            10.0.0.104
+    acl dst_norrsken     dst            10.0.0.143
+
+    use_backend http_fastlight if dst_fastlight
+    use_backend http_norrsken if dst_norrsken
+	
+backend http_fastlight
+    balance     roundrobin
+    server      fastlight      10.0.100.10:80      send-proxy
+
+backend http_norrsken
+    balance     roundrobin
+    server      norrsken       10.0.100.20:8000     send-proxy