diff options
Diffstat (limited to 'docs/configuration/loadbalancing')
| -rw-r--r-- | docs/configuration/loadbalancing/reverse-proxy.rst | 87 | 
1 files changed, 80 insertions, 7 deletions
| diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 3d462821..044d2044 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -45,6 +45,11 @@ Service    Set SSL certificate <name> for service <name> +.. cfgcmd:: set load-balancing reverse-proxy service <name> +  http-response-headers <header-name> value <header-value> + +  Set custom HTTP headers to be included in all responses +  Rules  ^^^^^ @@ -144,7 +149,8 @@ Backend    Send a Proxy Protocol version 2 header (binary format) -.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl ca-certificate <ca-certificate> +.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl +   ca-certificate <ca-certificate>    Configure requests to the backend server to use SSL encryption and    authenticate backend against <ca-certificate> @@ -154,6 +160,42 @@ Backend    Configure requests to the backend server to use SSL encryption without    validating server certificate +.. cfgcmd:: set load-balancing reverse-proxy backend <name> +  http-response-headers <header-name> value <header-value> + +  Set custom HTTP headers to be included in all responses using the backend + + +HTTP health check +^^^^^^^^^^^^^^^^^ +For web application providing information about their state HTTP health +checks can be used to determine their availability. + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check + +  Enables HTTP health checks using OPTION HTTP requests against '/' and +  expecting a successful response code in the 200-399 range. + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +   method <method> + +  Sets the HTTP method to be used, can be either: option, get, post, put + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +   uri <path> + +  Sets the endpoint to be used for health checks + +.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check +   expect <condition> + +  Sets the expected result condition for considering a server healthy. +  Some possible examples are: +   * ``status 200`` Expecting a 200 response code +   * ``status 200-399`` Expecting a non-failure response code +   * ``string success`` Expecting the string `success` in the response body + +  Global  ------- @@ -215,6 +257,7 @@ servers (srv01 and srv02) using the round-robin load-balancing algorithm.      set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'      set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' +  Balancing based on domain name  ------------------------------  The following configuration demonstrates how to use VyOS @@ -258,6 +301,7 @@ HTTPS.  The ``https`` service listens on port 443 with backend ``bk-default`` to  handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. +HSTS header is set with a 1-year expiry, to tell browsers to always use SSL for site.  Rule 10 matches requests with the exact URL path ``/.well-known/xxx``  and redirects to location ``/certs/``. @@ -280,6 +324,7 @@ connection limit of 4000 and a minimum TLS version of 1.3.      set load-balancing reverse-proxy service https mode 'http'      set load-balancing reverse-proxy service https port '443'      set load-balancing reverse-proxy service https ssl certificate 'cert' +    set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000'      set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'      set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/' @@ -295,20 +340,22 @@ connection limit of 4000 and a minimum TLS version of 1.3.      set load-balancing reverse-proxy global-parameters max-connections '4000'      set load-balancing reverse-proxy global-parameters tls-version-min '1.3' +  SSL Bridging  ------------- -The following configuration terminates incoming HTTPS traffic on the router, then re-encrypts the traffic and sends -to the backend server via HTTPS. This is useful if encryption is required for both legs, but you do not want to +The following configuration terminates incoming HTTPS traffic on the router, +then re-encrypts the traffic and sends to the backend server via HTTPS. +This is useful if encryption is required for both legs, but you do not want to  install publicly trusted certificates on each backend server. -Backend service certificates are checked against the certificate authority specified in the configuration, which -could be an internal CA. +Backend service certificates are checked against the certificate authority +specified in the configuration, which could be an internal CA.  The ``https`` service listens on port 443 with backend ``bk-bridge-ssl`` to  handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. -The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS and checks backend -server has a valid certificate trusted by CA ``cacert`` +The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS +and checks backend server has a valid certificate trusted by CA ``cacert``  .. code-block:: none @@ -325,3 +372,29 @@ server has a valid certificate trusted by CA ``cacert``      set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23'      set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443' + +Balancing with HTTP health checks +--------------------------------- + +This configuration enables HTTP health checks on backend servers. + +.. code-block:: none + +    set load-balancing reverse-proxy service my-tcp-api backend 'bk-01' +    set load-balancing reverse-proxy service my-tcp-api mode 'tcp' +    set load-balancing reverse-proxy service my-tcp-api port '8888' + +    set load-balancing reverse-proxy backend bk-01 balance 'round-robin' +    set load-balancing reverse-proxy backend bk-01 mode 'tcp' + +    set load-balancing reverse-proxy backend bk-01 http-check method 'get' +    set load-balancing reverse-proxy backend bk-01 http-check uri '/health' +    set load-balancing reverse-proxy backend bk-01 http-check expect 'status 200' + +    set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11' +    set load-balancing reverse-proxy backend bk-01 server srv01 port '8881' +    set load-balancing reverse-proxy backend bk-01 server srv01 check +    set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12' +    set load-balancing reverse-proxy backend bk-01 server srv02 port '8882' +    set load-balancing reverse-proxy backend bk-01 server srv02 check + | 
