diff options
author | Alex W <embezzle.dev@proton.me> | 2024-04-12 17:30:02 +0100 |
---|---|---|
committer | Alex W <embezzle.dev@proton.me> | 2024-04-12 22:05:06 +0100 |
commit | e652272def499f352d651848767e980b33be5236 (patch) | |
tree | d9223550325787f5a0395107edf741b53d58b444 | |
parent | fc048e90730cc404b5e04473eee9a6003bea329e (diff) | |
download | vyos-documentation-e652272def499f352d651848767e980b33be5236.tar.gz vyos-documentation-e652272def499f352d651848767e980b33be5236.zip |
Added info on reverse proxy backend ssl and fixed spelling mistakes
-rw-r--r-- | docs/configuration/loadbalancing/reverse-proxy.rst | 47 |
1 files changed, 40 insertions, 7 deletions
diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 19ef3773..77d6d67b 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -43,7 +43,7 @@ Service .. cfgcmd:: set load-balancing reverse-proxy service <name> ssl certificate <name> - Set SSL certeficate <name> for service <name> + Set SSL certificate <name> for service <name> Rules @@ -97,8 +97,8 @@ Backend .. cfgcmd:: set load-balancing reverse-proxy backend <name> balance <balance> - Load-balancing algorithms to be used for distributind requests among the - vailable servers + Load-balancing algorithms to be used for distributed requests among the + available servers Balance algorithms: * ``source-address`` Distributes requests based on the source IP address @@ -144,9 +144,12 @@ Backend Send a Proxy Protocol version 2 header (binary format) +.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl ca-certificate <ca-certificate> + Configure requests to the backend server to use SSL encryption and + authenticate backend against <ca-certificate> -Gloabal +Global ------- Global parameters @@ -243,12 +246,12 @@ to the backend ``bk-api-02`` Terminate SSL ------------- -The following configuration reverse-proxy terminate SSL. +The following configuration terminates SSL on the router. -The ``http`` service is lestens on port 80 and force redirects from HTTP to +The ``http`` service is listens on port 80 and force redirects from HTTP to HTTPS. -The ``https`` service listens on port 443 with backend `bk-default` to +The ``https`` service listens on port 443 with backend ``bk-default`` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. Rule 10 matches requests with the exact URL path ``/.well-known/xxx`` @@ -287,3 +290,33 @@ connection limit of 4000 and a minimum TLS version of 1.3. set load-balancing reverse-proxy global-parameters max-connections '4000' set load-balancing reverse-proxy global-parameters tls-version-min '1.3' +SSL Bridging +------------- +The following configuration terminates incoming HTTPS traffic on the router, then re-encrypts the traffic and sends +to the backend server via HTTPS. This is useful if encryption is required for both legs, but you do not want to +install publicly trusted certificates on each backend server. + +Backend service certificates are checked against the certificate authority specified in the configuration, which +could be an internal CA. + +The ``https`` service listens on port 443 with backend ``bk-bridge-ssl`` to +handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. + +The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS and checks backend +server has a valid certificate trusted by CA ``cacert`` + + +.. code-block:: none + + set load-balancing reverse-proxy service https backend 'bk-bridge-ssl' + set load-balancing reverse-proxy service https description 'listen on 443 port' + set load-balancing reverse-proxy service https mode 'http' + set load-balancing reverse-proxy service https port '443' + set load-balancing reverse-proxy service https ssl certificate 'cert' + + set load-balancing reverse-proxy backend bk-bridge-ssl description 'SSL backend' + set load-balancing reverse-proxy backend bk-bridge-ssl mode 'http' + set load-balancing reverse-proxy backend bk-bridge-ssl ssl ca-certificate 'cacert' + set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23' + set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443' + |