Ở bài trước mình đã có 1 con server selfhosted dành cho web server. Tuy nhiên homelab này mình sẽ có nhiều server do đó sẽ cần 1 em đóng vai trò gateway ( cũng như monitoring )
- i5-8700
- 32GB RAM – 2666Mhz
- SSD NVme Gen3 x4 : 256GB
- HDD Sata : 1TB
- Ubuntu server 20.04 ( Focal Fossa )
- OpenSSH
- Static IP : 192.168.1.5
- Hostname : gatekeeper
Sau khi setup xong Ubuntu server như ở bài trước ( không cần Virtualmin ) thì ở server này sẽ cần HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Mục đích sử dụng HAProxy để forward request về các servers / services cần thiết. Ví dụ
- https://selfhosted.jooservices.com/ sẽ được forward về Virtualmin ( port 10000 ) ở server
selfhostedta vừa installed trước. - https://jooservices.com sẽ forward về port 443 ( SSL ) của Virtualmin và load website
Cấu hình HAProxy
# HAProxy Stats
listen stats
bind *:1936
log global
maxconn 10
stats enable
stats show-node
http-request use-service prometheus-exporter if { path /metrics }
stats uri /statsBật HAProxy stats để quản lý
Tạm gác qua Sentry & Grafana ta sẽ nói sau. Thì ta có FE SSL cho các services
- cnmatrix.jooservices.com : Trỏ về Core switch port 443
- gatekeeper.jooservices.com : Trỏ về con server này với Webmin ( không phải Virtualmin ) trên port 10000
- jooservices.com && xcrawler.net cùng nằm trên
selfhostedserver với port 443
Và sau đó là config BE để forward về server / port tương tứng với từng FE
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Newly added timeouts
timeout http-request 10s
timeout http-keep-alive 2s
timeout queue 5s
timeout tunnel 2m
timeout client-fin 1s
timeout server-fin 1s
# Caching
cache hosting
total-max-size 4095 # MB
max-object-size 10000 # bytes
max-age 3600 # seconds
cache general
total-max-size 4095 # MB
max-object-size 10000 # bytes
max-age 3600 # seconds
# HAProxy Stats
listen stats
bind *:1936
log global
maxconn 10
stats enable
stats show-node
http-request use-service prometheus-exporter if { path /metrics }
stats uri /stats
userlist basic_auth_logins
user <username> insecure-password <password>
# Frontend HTTP
frontend http
bind :80
mode http
compression algo gzip
acl acl_grafana hdr(host) -i grafana.jooservices.com
acl acl_sentry hdr(host) -i sentry.jooservices.com
use_backend be_grafana if acl_grafana
#default_backend be_http
backend be_grafana
mode http
balance roundrobin
server gatekeeper 192.168.1.5:3000 check
backend be_sentry
mode http
balance roundrobin
server gitlab 192.168.1.5:9000 check
## Frontend SSL
frontend ssl
bind :443
mode tcp
option tcplog
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
## 192.168.1.2
use_backend be_ssl_cnmatrix if { req_ssl_sni -i cnmatrix.jooservices.com }
## 192.168.1.3
# use_backend be_ssl_unifi if { req_ssl_sni -i unifi.jooservices.com }
## 192.168.1.5
use_backend be_ssl_webmin_gatekeeper if { req_ssl_sni -m end gatekeeper.jooservices.com }
## 192.168.1.6
use_backend be_ssl_selfhosted if { req_ssl_sni -i jooservices.com }
use_backend be_ssl_virtualmin_selfhosted if { req_ssl_sni -m end selfhosted.jooservices.com }
#### XCrawler
use_backend be_ssl_selfhosted if { req_ssl_sni -i xcrawler.net }
use_backend be_ssl_selfhosted if { req_ssl_sni -m end .xcrawler.net }
## 192.168.1.8
use_backend be_ssl_nas if { req_ssl_sni -i nas.jooservices.com }
## 192.168.1.10
#use_backend be_ssl_esxi if { req_ssl_sni -i esxi.jooservices.com }
## 192.168.1.24
#use_backend be_ssl_gitlab if { req_ssl_sni -i gitlab.jooservices.com }
## Virtualmin / Webmin
#use_backend be_ssl_hosting_virtualmin if { req_ssl_sni -i virtualmin.jooservices.com }
#use_backend be_ssl_gatekeeper_webmin if { req_ssl_sni -i gatekeeper.jooservices.com }
#use_backend be_ssl_smb_webmin if { req_ssl_sni -i smb.jooservices.com }
## Hosting
## 192.168.1.20
#use_backend be_ssl_hosting if { req_ssl_sni -i jooservices.com }
## XCrawler
## 192.168.1.30
#use_backend be_ssl_xcrawler if { req_ssl_sni -i xcrawler.net }
#use_backend be_ssl_xcrawler if { req_ssl_sni -m end .xcrawler.net }
#default_backend be_ssl_hosting
## Backend SSL
### CnMatrix
backend be_ssl_cnmatrix
mode tcp
balance roundrobin
server cnmatrix 192.168.1.2:443 check
### Gatekeeper
backend be_ssl_webmin_gatekeeper
mode tcp
balance roundrobin
server selfhosted 192.168.1.5:10000 check
### NAS
backend be_ssl_nas
mode tcp
balance roundrobin
server nas 192.168.1.8:443 check
## Selfhosted
backend be_ssl_selfhosted
mode tcp
balance roundrobin
server selfhosted 192.168.1.6:443 check
backend be_ssl_virtualmin_selfhosted
mode tcp
balance roundrobin
server selfhosted 192.168.1.6:10000 check