summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex W <embezzle.dev@proton.me>2024-04-12 17:30:02 +0100
committerAlex W <embezzle.dev@proton.me>2024-04-12 22:05:06 +0100
commite652272def499f352d651848767e980b33be5236 (patch)
treed9223550325787f5a0395107edf741b53d58b444
parentfc048e90730cc404b5e04473eee9a6003bea329e (diff)
downloadvyos-documentation-e652272def499f352d651848767e980b33be5236.tar.gz
vyos-documentation-e652272def499f352d651848767e980b33be5236.zip
Added info on reverse proxy backend ssl and fixed spelling mistakes
-rw-r--r--docs/configuration/loadbalancing/reverse-proxy.rst47
1 files changed, 40 insertions, 7 deletions
diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst
index 19ef3773..77d6d67b 100644
--- a/docs/configuration/loadbalancing/reverse-proxy.rst
+++ b/docs/configuration/loadbalancing/reverse-proxy.rst
@@ -43,7 +43,7 @@ Service
.. cfgcmd:: set load-balancing reverse-proxy service <name> ssl
certificate <name>
- Set SSL certeficate <name> for service <name>
+ Set SSL certificate <name> for service <name>
Rules
@@ -97,8 +97,8 @@ Backend
.. cfgcmd:: set load-balancing reverse-proxy backend <name> balance
<balance>
- Load-balancing algorithms to be used for distributind requests among the
- vailable servers
+ Load-balancing algorithms to be used for distributed requests among the
+ available servers
Balance algorithms:
* ``source-address`` Distributes requests based on the source IP address
@@ -144,9 +144,12 @@ Backend
Send a Proxy Protocol version 2 header (binary format)
+.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl ca-certificate <ca-certificate>
+ Configure requests to the backend server to use SSL encryption and
+ authenticate backend against <ca-certificate>
-Gloabal
+Global
-------
Global parameters
@@ -243,12 +246,12 @@ to the backend ``bk-api-02``
Terminate SSL
-------------
-The following configuration reverse-proxy terminate SSL.
+The following configuration terminates SSL on the router.
-The ``http`` service is lestens on port 80 and force redirects from HTTP to
+The ``http`` service is listens on port 80 and force redirects from HTTP to
HTTPS.
-The ``https`` service listens on port 443 with backend `bk-default` to
+The ``https`` service listens on port 443 with backend ``bk-default`` to
handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination.
Rule 10 matches requests with the exact URL path ``/.well-known/xxx``
@@ -287,3 +290,33 @@ connection limit of 4000 and a minimum TLS version of 1.3.
set load-balancing reverse-proxy global-parameters max-connections '4000'
set load-balancing reverse-proxy global-parameters tls-version-min '1.3'
+SSL Bridging
+-------------
+The following configuration terminates incoming HTTPS traffic on the router, then re-encrypts the traffic and sends
+to the backend server via HTTPS. This is useful if encryption is required for both legs, but you do not want to
+install publicly trusted certificates on each backend server.
+
+Backend service certificates are checked against the certificate authority specified in the configuration, which
+could be an internal CA.
+
+The ``https`` service listens on port 443 with backend ``bk-bridge-ssl`` to
+handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination.
+
+The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS and checks backend
+server has a valid certificate trusted by CA ``cacert``
+
+
+.. code-block:: none
+
+ set load-balancing reverse-proxy service https backend 'bk-bridge-ssl'
+ set load-balancing reverse-proxy service https description 'listen on 443 port'
+ set load-balancing reverse-proxy service https mode 'http'
+ set load-balancing reverse-proxy service https port '443'
+ set load-balancing reverse-proxy service https ssl certificate 'cert'
+
+ set load-balancing reverse-proxy backend bk-bridge-ssl description 'SSL backend'
+ set load-balancing reverse-proxy backend bk-bridge-ssl mode 'http'
+ set load-balancing reverse-proxy backend bk-bridge-ssl ssl ca-certificate 'cacert'
+ set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23'
+ set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443'
+