AWS
Quick guide on aws for beginners Understanding network concepts in aws How to achieve CI/CD in aws CI/CD in aws managed resources with Jenkins Push Image to aws ECR Using GitHub Actions Setup an EventBridge Rule in aws How ECS & ECR works in aws EKS with Fargate Profile Launch EKS using eksctl in aws Container insight for EKS-Fargate in cloudwatch Deploy aws resources with CloudFormation AWS secrets scanning by GitHub Setup Site to Site VPN Connection in AWS
AZURE
Gateways in Azure Understanding network concepts in Azure Ingress in Azure Kubernetes Service
GCP
Architecting hybrid infrastructure with Anthos

ANSIBLE
Ansible a configuration management tool Runbook Automation tool for playbooks
DOCKER
Docker a containerization Tool Networking in Docker Multi-stage build in Docker what is docker-compose All about Docker swarm
GIT
CLI instruction to work with Git Integrating Jenkins with GitHub Secret detection in GitLab Push Image to ECR Using GitHub Actions
JENKINS
Jenkins a continuous integration tool Acheive CI/CD using Jenkins in AWS Configuring weblogic deployer plugin in Jenkins
KUBERNETES
Kubernetes an orchestration framework Launch kubernetes cluster in Different ways Debugging your kubernetes cluster Certificates renewal of kubernetes cluster Deploying application on Kubernetes cluster api versions to use in manifest file RBACs in Kubernetes Health check of containers in Kubernetes Rancher a cluster management platform Understanding ISTIO as a service mesh
TERRAFORM
Deploying IaC using Terraform Terraform module EKS cluster using Terraform

APACHE
Things to know in Apache How to Configure Apache-httpd Server Setup httpd as os-service on OL8 SiteMinder and its Integration with WebServer Apache SSL Installation Instructions NO_RESOURCES Errors in APACHE with WLS
WEBLOGIC
Installing WebLogic 12.1.3 without GUI WebLogic Server as a managed Azure service WLS domain extension to include JRF template All about OPatch in WLS How to define WorkManager in Weblogic Some known Weblogic exceptions Different OutOfMemory issues Some known Weblogic exceptions Play with WLST Persistent store in WLS Configuration of NodeManager

JAVA
JAVA_OPTIONS Study on JAVA_HEAP Native OOM in Java Heap Types of Threads Various Java-options to use in Java apps How to run Java Flight Recorder dbping a java-weblogic utility
SSL
When & why to use SSL certificates SSLv3 to TLS1.* SHA2 on Oracle https Server Weblogic SSL Renewal Steps
CHEATSHEETs
Linux Cheatsheet Linux Log parsing cheetsheet SSL Cheatsheet MySQL Cheatsheet PostgreSQL Cheatsheet WebLogic Cheatsheet Python Cheatsheet Kubernetes Cheatsheet Terraform Cheatsheet Hashicorp-vault Cheatsheet GCP Cheatsheet
OTHER
All about Messaging Queue small guide on Python WLSDM monitoring agent in WLS Register driver for MSSqlServer Understanding YAML Understanding Role of an API Gateway SonarQube code analysis

07 February 2025

reverse proxy in HAProxy

credits - https://www.haproxy.com/glossary/what-is-a-reverse-proxy 
When you want clients to connect to HAProxy using a hostname that's also listed as a SAN in
HAProxy's certificate, and then HAProxy should forward the traffic to a specific backend server. This is a common and perfectly valid use case, but it's important to understand the details.

Here's how you can achieve this:

1. Configure HAProxy:

vi /etc/haproxy/haproxy.cfg

frontend my_frontend
    bind *:443 ssl crt /path/to/your/certificate.pem
    acl is_for_backend1 hdr(host) -i backend1.example.com  # Match the hostname/SAN
    use_backend backend1 if is_for_backend1

backend backend1
    server backend1_server 192.168.1.10:80 check  # Your backend server
  • frontend my_frontend: Defines the frontend that listens for incoming connections.
  • bind *:443 ssl crt /path/to/your/certificate.pem: Binds to port 443 (HTTPS) and specifies the path to your certificate. Crucially, this certificate must have backend1.example.com as a SAN entry.
  • acl is_for_backend1 hdr(host) -i backend1.example.com: This Access Control List (ACL) checks the Host header of the incoming HTTP request. It matches if the Host header is backend1.example.com (case-insensitive).
  • use_backend backend1 if is_for_backend1: Directs traffic to the backend1 backend only if the is_for_backend1 ACL matches (i.e., the Host header is backend1.example.com).
  • backend backend1: Defines the backend server.
  • server backend1_server 192.168.1.10:80 check: Specifies the IP address and port of your backend server.

2. DNS Configuration:

You need to configure your DNS so that backend1.example.com resolves to the IP address of your HAProxy server. This is how clients will be able to connect to HAProxy using that hostname.

3. Certificate:

Your SSL certificate must have backend1.example.com listed as a Subject Alternative Name (SAN). This is essential because when a client connects to backend1.example.com, HAProxy will present this certificate. The client will then verify that backend1.example.com is in the certificate's SAN list. If it's not, the client will get a certificate error.

How it Works:

  1. Client makes a request to https://backend1.example.com.
  2. DNS resolves backend1.example.com to HAProxy's IP address.
  3. Client connects to HAProxy over HTTPS.
  4. HAProxy presents its certificate (which has backend1.example.com as a SAN).
  5. Client verifies the certificate.
  6. HAProxy checks the Host header of the request.
  7. Because the Host header is backend1.example.com, the is_for_backend1 ACL matches.
  8. HAProxy forwards the request to the backend1 backend server (192.168.1.10:80).
  9. The backend server processes the request and sends the response back to HAProxy.
  10. HAProxy forwards the response back to the client.

Key Points:

  • SAN is essential: The SAN in the certificate is the critical piece that allows the client to trust the connection to backend1.example.com when it's terminated at HAProxy.
  • Host header matching: The ACL ensures that HAProxy only forwards traffic to the correct backend when the client uses the specific hostname.
  • DNS is crucial: DNS must be configured correctly so that the hostname resolves to HAProxy's IP address.

This setup allows you to use a specific hostname (backend1.example.com) that's associated with a particular backend server, even though the connection is terminated at HAProxy. This is a very common pattern for load balancing and reverse proxying.

No comments:

Post a Comment