Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Prochaine révision		 Révision précédente
resume-technique:reverse-proxy:reverse-proxy-main [21/05/2025 21:50] – créée - modification externe 127.0.0.1resume-technique:reverse-proxy:reverse-proxy-main [13/02/2026 19:50] (Version actuelle) Daneel Olivaw
Ligne 181: Ligne 181:
 server { server {
 # a very simple reverse proxy to port 80 : forcing https and redirect will be handle by upstream # a very simple reverse proxy to port 80 : forcing https and redirect will be handle by upstream
-        listen 80 ; +    listen 80 ; 
-        listen [::]:80 ; +    listen [::]:80 ; 
-        server_name subdomain1.mydomain.org subdomain2.mydomain.org; +    server_name subdomain1.mydomain.org subdomain2.mydomain.org; 
-        access_log /var/log/nginx/mydomain.org-access.log; +    access_log /var/log/nginx/mydomain.org-access.log; 
-        error_log /var/log/nginx/mydomain.org-error.log; +    error_log /var/log/nginx/mydomain.org-error.log;
- +
  
-        location / { +    location / { 
-# handle real ip and send it to backend +        # handle real ipand send request to backend 
-       include proxy.conf; +        include proxy.conf; 
-       proxy_set_header X-Real-IP $remote_addr; +        proxy_set_header X-Real-IP $remote_addr; 
-       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
-       proxy_pass http://[upstreamserver]/; #Please replace [upstreamserver] with your backend application server internal ip or internal dns name.+        proxy_pass http://_REPLACE_WITH_BACKEND_IP_OR_HOST_/; # backend application server internal address
     }     }
 } }
Ligne 258: Ligne 256:
          
     # Manage real ip from proxy protocol to get original client ip     # Manage real ip from proxy protocol to get original client ip
-    # Please Replace [REVERSEPROXY_IP] with inernal IPV4 of your reverse proxy.+    # Please Replace [REVERSEPROXY_IP] with internal IPV4 of your reverse proxy.
     set_real_ip_from [REVERSEPROXY_IP];     set_real_ip_from [REVERSEPROXY_IP];
     real_ip_header proxy_protocol;     real_ip_header proxy_protocol;
Ligne 281: Ligne 279:
  
 <code apache> <code apache>
-# Please Replace [REVERSEPROXY_IP] with inernal IPV4 of your reverse proxy.+# Please Replace [REVERSEPROXY_IP] with internal IPV4 of your reverse proxy.
 RemoteIPHeader X-Forwarded-For RemoteIPHeader X-Forwarded-For
 RemoteIPInternalProxy [REVERSEPROXY_IP]/32 RemoteIPInternalProxy [REVERSEPROXY_IP]/32
Ligne 303: Ligne 301:
 This configuration comes with some limitations : This configuration comes with some limitations :
   * Only http and https port are covered : XMPP, E-mail or other port are not covered. This configuration focuses on hosting Yunohost http(s) services. Outgoing emails are still possible but incoming emails should be handled by a special incoming mail gateway, so please be careful about bounces management.   * Only http and https port are covered : XMPP, E-mail or other port are not covered. This configuration focuses on hosting Yunohost http(s) services. Outgoing emails are still possible but incoming emails should be handled by a special incoming mail gateway, so please be careful about bounces management.
-  * IPv6 is not properly handled here. This documentation was made for internal ipv4 network, even if ipv6 can remain activated in Yunohost server+  * IPv6 is not properly handled here. This documentation was made for internal ipv4 network, even if ipv6 can remain activated in Yunohost server
 +  * Banning remote ip with fail2ban and iptables does not work in this configuration (work in progress) 
 + 
 +<note important>TODO : Find a way to actually ban remote ip detected by fail2ban (e.g. in nginx)</note>
  
 ==== http listeners ==== ==== http listeners ====
Ligne 311: Ligne 312:
 We assume that a reverse proxy is configured as described above to proxy to Yunohost. For security purpose, for tracing connexion, configuration is simply modified to get browser real IP with X-Real-IP headers. We assume that a reverse proxy is configured as described above to proxy to Yunohost. For security purpose, for tracing connexion, configuration is simply modified to get browser real IP with X-Real-IP headers.
  
-First, create a custom snippet. Please Replace [REVERSEPROXY_IP] with inernal IPV4 of your reverse proxy.+First, create a custom snippet. Please Replace [REVERSEPROXY_IP] with internal IPV4 of your reverse proxy.
  
 /etc/nginx/snippets/YunoHost_behind_http_RP.inc /etc/nginx/snippets/YunoHost_behind_http_RP.inc
Ligne 323: Ligne 324:
 </file> </file>
  
-In all nginx configuration file, simply include this snippet in server directive on port 80 :+In all nginx configuration file, include this snippet in server directive on port 80 :
 <code nginx> <code nginx>
 server { server {
     listen 80;     listen 80;
     listen [::]:80;     listen [::]:80;
-    server_name yunohost.mydomain.test;+    server_name yunohost.mydomain.test *.yunohost.mydomain.test;
  
     # YunoHost behind http Reverse Proxy     # YunoHost behind http Reverse Proxy
Ligne 341: Ligne 342:
 {{ resume-technique:reverse-proxy:reverseproxy-tls-https-yunohost.png?direct | Reverse Proxy TLS Passthrough with Yunohost}} {{ resume-technique:reverse-proxy:reverseproxy-tls-https-yunohost.png?direct | Reverse Proxy TLS Passthrough with Yunohost}}
  
-We assume that a reverse proxy is configured as described above to proxy to Yunohost. Configuration will be modified to listen on PROXY protocol behind reverseproxy  and to catch real browser IP, for security and functional reason. This will log real ip in log files and let fail2ban correctly ban the actual client ip.+We assume that a reverse proxy is configured as described above to proxy to Yunohost. Configuration will be modified to listen on PROXY protocol behind reverseproxy  and to catch real browser IP, for security and functional reason. This will log real ip in log files and let fail2ban correctly monitor the actual client ip. 
 + 
 +FIXME Unfortunately fail2ban is currently triggering iptables rules. But banning ip in firewall won't work behind the reverse proxy. TODO : Find a way to actually ban remote ip (e.g. in nginx)
  
  
-Create a custom snippet. Please Replace [YUNOHOST_INTERFACE_IP] with internal IPV4 of YunoHost interface listening on https behind Reverse Proxy. Please Replace [REVERSEPROXY_IP] with inernal IPV4 of your reverse proxy.+Create a custom snippet. Please Replace [YUNOHOST_INTERFACE_IP] with internal IPV4 of YunoHost interface listening on https behind Reverse Proxy. Please Replace [REVERSEPROXY_IP] with internal IPV4 of your reverse proxy.
  
 /etc/nginx/snippets/YunoHost_behind_https_TLSPT_RP.inc /etc/nginx/snippets/YunoHost_behind_https_TLSPT_RP.inc
Ligne 356: Ligne 359:
 # Manage real ip from proxy protocol to get original client ip # Manage real ip from proxy protocol to get original client ip
 # for interface using proxy_protocol # for interface using proxy_protocol
-# Please Replace [REVERSEPROXY_IP] with inernal IPV4 of your reverse proxy.+# Please Replace [REVERSEPROXY_IP] with internal IPV4 of your reverse proxy.
 set_real_ip_from [REVERSEPROXY_IP]; set_real_ip_from [REVERSEPROXY_IP];
 real_ip_header proxy_protocol; real_ip_header proxy_protocol;
  • resume-technique/reverse-proxy/reverse-proxy-main.1747864229.txt.gz
  • Dernière modification : il y a 11 mois
  • de 127.0.0.1