Reverse-proxy
Call for Contributions
This section needs improvements, examples and explanations.
Please take a look at the Contributing Guide for our Write Documentation.
VyOS reverse-proxy is balancer and proxy server that provides high-availability, load balancing and proxying for TCP (level 4) and HTTP-based (level 7) applications.
Configuration
Service configuration is responsible for binding to a specific port, while the backend configuration determines the type of load balancing to be applied and specifies the real servers to be utilized.
Service
Set service to bind on IP address, by default listen on any IPv4 and IPv6
Create service <name> to listen on <port>
Configure service <name> mode TCP or HTTP
Configure service <name> to use the backend <name>
Set SSL certeficate <name> for service <name>
Rules
Rules allow to control and route incoming traffic to specific backend based on predefined conditions. Rules allow to define matching criteria and perform action accordingly.
- SSL match Server Name Indication (SNI) option:
req-ssl-sniSSL Server Name Indication (SNI) request matchssl-fc-sniSSL frontend connection Server Name Indication matchssl-fc-sni-endSSL frontend match end of connection Server NameIndication
Allows to define URL path matching rules for a specific service.
With this command, you can specify how the URL path should be matched against incoming requests.
- The available options for <match> are:
beginMatches the beginning of the URL pathendMatches the end of the URL path.exactRequires an exactly match of the URL path
Assign a specific backend to a rule
Backend
Load-balancing algorithms to be used for distributind requests among the vailable servers
- Balance algorithms:
source-addressDistributes requests based on the source IP address of the clientround-robinDistributes requests in a circular manner, sequentially sending each request to the next server in lineleast-connectionDistributes requests tp tje server wotj the fewest active connections
Configure backend <name> mode TCP or HTTP
Enable layer 7 HTTP health check
Set the address of the backend server to which the incoming traffic will be forwarded
Set the address of the backend port
Active health check backend server
Send a Proxy Protocol version 1 header (text format)
Gloabal
Global parameters
Limit maximum number of connections
Limit allowed cipher algorithms used during SSL/TLS handshake
Redirect HTTP to HTTPS
Configure the load-balancing reverse-proxy service for HTTP.
This configuration listen on port 80 and redirect incoming requests to HTTPS:
set load-balancing reverse-proxy service http port '80'
set load-balancing reverse-proxy service http redirect-http-to-https
The name of the service can be different, in this example it is only for convenience.
Examples
Level 4 balancing
This configuration enables the TCP reverse proxy for the “my-tcp-api” service. Incoming TCP connections on port 8888 will be load balanced across the backend servers (srv01 and srv02) using the round-robin load-balancing algorithm.
set load-balancing reverse-proxy service my-tcp-api backend 'bk-01'
set load-balancing reverse-proxy service my-tcp-api mode 'tcp'
set load-balancing reverse-proxy service my-tcp-api port '8888'
set load-balancing reverse-proxy backend bk-01 balance 'round-robin'
set load-balancing reverse-proxy backend bk-01 mode 'tcp'
set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11'
set load-balancing reverse-proxy backend bk-01 server srv01 port '8881'
set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'
set load-balancing reverse-proxy backend bk-01 server srv02 port '8882'
Balancing based on domain name
The following configuration demonstrates how to use VyOS to achieve load balancing based on the domain name.
The HTTP service listen on TCP port 80.
Rule 10 matches requests with the domain name node1.example.com forwards
to the backend bk-api-01
Rule 20 matches requests with the domain name node2.example.com forwards
to the backend bk-api-02
set load-balancing reverse-proxy service http description 'bind app listen on 443 port'
set load-balancing reverse-proxy service http mode 'tcp'
set load-balancing reverse-proxy service http port '80'
set load-balancing reverse-proxy service http rule 10 domain-name 'node1.example.com'
set load-balancing reverse-proxy service http rule 10 set backend 'bk-api-01'
set load-balancing reverse-proxy service http rule 20 domain-name 'node2.example.com'
set load-balancing reverse-proxy service http rule 20 set backend 'bk-api-02'
set load-balancing reverse-proxy backend bk-api-01 description 'My API-1'
set load-balancing reverse-proxy backend bk-api-01 mode 'tcp'
set load-balancing reverse-proxy backend bk-api-01 server api01 address '127.0.0.1'
set load-balancing reverse-proxy backend bk-api-01 server api01 port '4431'
set load-balancing reverse-proxy backend bk-api-02 description 'My API-2'
set load-balancing reverse-proxy backend bk-api-02 mode 'tcp'
set load-balancing reverse-proxy backend bk-api-02 server api01 address '127.0.0.2'
set load-balancing reverse-proxy backend bk-api-02 server api01 port '4432'
Terminate SSL
The following configuration reverse-proxy terminate SSL.
The http service is lestens on port 80 and force redirects from HTTP to
HTTPS.
The https service listens on port 443 with backend bk-default to
handle HTTPS traffic. It uses certificate named cert for SSL termination.
Rule 10 matches requests with the exact URL path /.well-known/xxx
and redirects to location /certs/.
Rule 20 matches requests with URL paths ending in /mail or exact
path /email/bar redirect to location /postfix/.
Additional global parameters are set, including the maximum number connection limit of 4000 and a minimum TLS version of 1.3.
set load-balancing reverse-proxy service http description 'Force redirect to HTTPS'
set load-balancing reverse-proxy service http port '80'
set load-balancing reverse-proxy service http redirect-http-to-https
set load-balancing reverse-proxy service https backend 'bk-default'
set load-balancing reverse-proxy service https description 'listen on 443 port'
set load-balancing reverse-proxy service https mode 'http'
set load-balancing reverse-proxy service https port '443'
set load-balancing reverse-proxy service https ssl certificate 'cert'
set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'
set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/'
set load-balancing reverse-proxy service https rule 20 url-path end '/mail'
set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar'
set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/'
set load-balancing reverse-proxy backend bk-default description 'Default backend'
set load-balancing reverse-proxy backend bk-default mode 'http'
set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23'
set load-balancing reverse-proxy backend bk-default server sr01 port '80'
set load-balancing reverse-proxy global-parameters max-connections '4000'
set load-balancing reverse-proxy global-parameters tls-version-min '1.3'