summaryrefslogtreecommitdiff
path: root/docs/configuration/loadbalancing/reverse-proxy.rst
blob: 7a9f90ae2ace6dc4a45e79222a11624dfe585b61 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298

#############
Reverse-proxy
#############

.. include:: /_include/need_improvement.txt

VyOS reverse-proxy is balancer and proxy server that provides
high-availability, load balancing and proxying for TCP (level 4)
and HTTP-based (level 7) applications.

Configuration
=============


Service configuration is responsible for binding to a specific port,
while the backend configuration determines the type of load balancing
to be applied and specifies the real servers to be utilized.

Service
-------

.. cfgcmd:: set load-balancing reverse-proxy service <name> listen-address
   <address>

  Set service to bind on IP address, by default listen on any IPv4 and IPv6

.. cfgcmd:: set load-balancing reverse-proxy service <name> port
   <port>

  Create service `<name>` to listen on <port>

.. cfgcmd:: set load-balancing reverse-proxy service <name> mode
   <tcp|http>

  Configure service `<name>` mode TCP or HTTP

.. cfgcmd:: set load-balancing reverse-proxy service <name> backend
   <name>

  Configure service `<name>` to use the backend <name>

.. cfgcmd:: set load-balancing reverse-proxy service <name> ssl
   certificate <name>

  Set SSL certeficate <name> for service <name>


Rules
^^^^^
Rules allow to control and route incoming traffic to specific backend based
on predefined conditions. Rules allow to define matching criteria and
perform action accordingly.

.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
   domain-name <name>

  Match domain name

.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
   ssl <sni>

  SSL match Server Name Indication (SNI) option:
   * ``req-ssl-sni`` SSL Server Name Indication (SNI) request match
   * ``ssl-fc-sni`` SSL frontend connection Server Name Indication match
   * ``ssl-fc-sni-end`` SSL frontend match end of connection Server Name 
      
      Indication

.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
   url-path <match> <url>

  Allows to define URL path matching rules for a specific service.

  With this command, you can specify how the URL path should be matched 
  against incoming requests.

  The available options for <match> are:
   * ``begin`` Matches the beginning of the URL path
   * ``end`` Matches the end of the URL path.
   * ``exact`` Requires an exactly match of the URL path

.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
   set backend <name>

  Assign a specific backend to a rule

.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
   redirect-location <url>

  Redirect URL to a new location


Backend
-------

.. cfgcmd:: set load-balancing reverse-proxy backend <name> balance
   <balance>

  Load-balancing algorithms to be used for distributind requests among the
  vailable servers

  Balance algorithms:
   * ``source-address`` Distributes requests based on the source IP address
     of the client
   * ``round-robin`` Distributes requests in a circular manner,
     sequentially sending each request to the next server in line
   * ``least-connection`` Distributes requests tp tje server wotj the fewest 
     active connections

.. cfgcmd:: set load-balancing reverse-proxy backend <name> mode
   <mode>

  Configure backend `<name>` mode TCP or HTTP

.. cfgcmd:: set load-balancing reverse-proxy backend <name> parameters
   http-check

  Enable layer 7 HTTP health check

.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
   <name> address <x.x.x.x>

  Set the address of the backend server to which the incoming traffic will
  be forwarded

.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
   <name> port <port>

  Set the address of the backend port

.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
   <name> check

  Active health check backend server

.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
   <name> send-proxy

  Send a Proxy Protocol version 1 header (text format)

.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
   <name> send-proxy-v2

  Send a Proxy Protocol version 2 header (binary format)



<<<<<<< HEAD
Gloabal
=======
.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl no-verify

  Configure requests to the backend server to use SSL encryption without
  validating server certificate

Global
>>>>>>> 6703aeb4 (T6242: reverse-proxy: Document new backend option ssl no-verify)
-------

Global parameters

.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections
   <num>

  Limit maximum number of connections

.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers
   <ciphers>

  Limit allowed cipher algorithms used during SSL/TLS handshake

.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min
   <version>

  Specify the minimum required TLS version 1.2 or 1.3


Redirect HTTP to HTTPS
======================
Configure the load-balancing reverse-proxy service for HTTP.

This configuration listen on port 80 and redirect incoming
requests to HTTPS:

.. code-block:: none

    set load-balancing reverse-proxy service http port '80'
    set load-balancing reverse-proxy service http redirect-http-to-https

The name of the service can be different, in this example it is only for 
convenience.


Examples
========

Level 4 balancing
-----------------

This configuration enables the TCP reverse proxy for the "my-tcp-api" service.
Incoming TCP connections on port 8888 will be load balanced across the backend
servers (srv01 and srv02) using the round-robin load-balancing algorithm.

.. code-block:: none

    set load-balancing reverse-proxy service my-tcp-api backend 'bk-01'
    set load-balancing reverse-proxy service my-tcp-api mode 'tcp'
    set load-balancing reverse-proxy service my-tcp-api port '8888'

    set load-balancing reverse-proxy backend bk-01 balance 'round-robin'
    set load-balancing reverse-proxy backend bk-01 mode 'tcp'

    set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11'
    set load-balancing reverse-proxy backend bk-01 server srv01 port '8881'
    set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'
    set load-balancing reverse-proxy backend bk-01 server srv02 port '8882'

Balancing based on domain name
------------------------------
The following configuration demonstrates how to use VyOS
to achieve load balancing based on the domain name.

The HTTP service listen on TCP port 80.

Rule 10 matches requests with the domain name ``node1.example.com`` forwards
to the backend ``bk-api-01``

Rule 20 matches requests with the domain name ``node2.example.com`` forwards
to the backend ``bk-api-02``

.. code-block:: none

    set load-balancing reverse-proxy service http description 'bind app listen on 443 port'
    set load-balancing reverse-proxy service http mode 'tcp'
    set load-balancing reverse-proxy service http port '80'

    set load-balancing reverse-proxy service http rule 10 domain-name 'node1.example.com'
    set load-balancing reverse-proxy service http rule 10 set backend 'bk-api-01'
    set load-balancing reverse-proxy service http rule 20 domain-name 'node2.example.com'
    set load-balancing reverse-proxy service http rule 20 set backend 'bk-api-02'

    set load-balancing reverse-proxy backend bk-api-01 description 'My API-1'
    set load-balancing reverse-proxy backend bk-api-01 mode 'tcp'
    set load-balancing reverse-proxy backend bk-api-01 server api01 address '127.0.0.1'
    set load-balancing reverse-proxy backend bk-api-01 server api01 port '4431'
    set load-balancing reverse-proxy backend bk-api-02 description 'My API-2'
    set load-balancing reverse-proxy backend bk-api-02 mode 'tcp'
    set load-balancing reverse-proxy backend bk-api-02 server api01 address '127.0.0.2'
    set load-balancing reverse-proxy backend bk-api-02 server api01 port '4432'


Terminate SSL
-------------
The following configuration reverse-proxy terminate SSL.

The ``http`` service is lestens on port 80 and force redirects from HTTP to
HTTPS.

The ``https`` service listens on port 443 with backend `bk-default` to 
handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination.

Rule 10 matches requests with the exact URL path ``/.well-known/xxx``
and redirects to location ``/certs/``.

Rule 20 matches requests with URL paths ending in ``/mail`` or exact
path ``/email/bar`` redirect to location ``/postfix/``.

Additional global parameters are set, including the maximum number
connection limit of 4000 and a minimum TLS version of 1.3.


.. code-block:: none

    set load-balancing reverse-proxy service http description 'Force redirect to HTTPS'
    set load-balancing reverse-proxy service http port '80'
    set load-balancing reverse-proxy service http redirect-http-to-https

    set load-balancing reverse-proxy service https backend 'bk-default'
    set load-balancing reverse-proxy service https description 'listen on 443 port'
    set load-balancing reverse-proxy service https mode 'http'
    set load-balancing reverse-proxy service https port '443'
    set load-balancing reverse-proxy service https ssl certificate 'cert'

    set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'
    set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/'
    set load-balancing reverse-proxy service https rule 20 url-path end '/mail'
    set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar'
    set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/'

    set load-balancing reverse-proxy backend bk-default description 'Default backend'
    set load-balancing reverse-proxy backend bk-default mode 'http'
    set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23'
    set load-balancing reverse-proxy backend bk-default server sr01 port '80'

    set load-balancing reverse-proxy global-parameters max-connections '4000'
    set load-balancing reverse-proxy global-parameters tls-version-min '1.3'