Page MenuHomeVyOS Platform

Add load-balancing reverse-proxy based on haproxy
Closed, ResolvedPublicFEATURE REQUEST

Description

Add load-balancing based on haproxy.
Allows layer 4 and 7 balancing.

Proposed CLI

set load-balancing reverse-proxy server fr01 backend 'bk01'
set load-balancing reverse-proxy server fr01 mode 'http'
set load-balancing reverse-proxy server fr01 port '8888'

set load-balancing reverse-proxy backend bk01 balance-mode 'least-connection'
set load-balancing reverse-proxy backend bk01 mode 'http'
set load-balancing reverse-proxy backend bk01 server srv01 address '192.168.122.11'
set load-balancing reverse-proxy backend bk01 server srv01 port '8881'
set load-balancing reverse-proxy backend bk01 server srv02 address '192.168.122.11'
set load-balancing reverse-proxy backend bk01 server srv02 port '8882'

config haproxy

vyos@r14# cat /run/haproxy/haproxy.cfg 
# Generated by /usr/libexec/vyos/conf_mode/load-balancing-haproxy.py

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5s
    timeout client  50s
    timeout server  50s

# Frontend
frontend fr01
    bind :8888
    mode http
    default_backend bk01

# Backend
backend bk01
    mode http
    server srv01 192.168.122.11:8881
    server srv02 192.168.122.11:8882

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Viacheslav renamed this task from Add loadbalancing based on haproxy to Add load-balancing based on haproxy .
Viacheslav claimed this task.

We should make the ssl-bind ciphers and ssl-bind-options configurable (<multi/> node) by the user

On a different setup I used to have TLS1.2

ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

but now I limit it to TLSv1.3 only

tune.ssl.default-dh-param  2048
ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-options force-tlsv13

So maybe have a tls-version-min CLI node (similar to OpenVPN) which expands to the above options. In order to make the world more secure, we should start off by using minimum supported version on the CLI = TLS1.2

PR refactoring https://github.com/vyos/vyos-1x/pull/2012

set load-balancing reverse-proxy service http description 'bind port 80 and redirect to 443'
set load-balancing reverse-proxy service http mode 'http'
set load-balancing reverse-proxy service http port '80'
set load-balancing reverse-proxy service http redirect-http-to-https

set load-balancing reverse-proxy service https description 'bind port 80'
set load-balancing reverse-proxy service https mode 'http'
set load-balancing reverse-proxy service https port '443'

set load-balancing reverse-proxy service https rule 10 domain-name 'r11.example.com'
set load-balancing reverse-proxy service https rule 10 domain-name 'r12.example.com'
set load-balancing reverse-proxy service https rule 10 domain-name 'r13.example.com'
set load-balancing reverse-proxy service https rule 10 set backend 'bk-01'
set load-balancing reverse-proxy service https rule 20 domain-name 'r22.example.com'
set load-balancing reverse-proxy service https rule 20 set backend 'bk-02'

set load-balancing reverse-proxy backend bk-01 description 'My API-1'
set load-balancing reverse-proxy backend bk-01 mode 'http'
set load-balancing reverse-proxy backend bk-01 server srv-01 address '192.168.122.11'
set load-balancing reverse-proxy backend bk-01 server srv-01 port '5000'
set load-balancing reverse-proxy backend bk-02 description 'My API-2'
set load-balancing reverse-proxy backend bk-02 mode 'http'
set load-balancing reverse-proxy backend bk-02 server srv-01 address '192.168.122.12'
set load-balancing reverse-proxy backend bk-02 server srv-01 port '5000'

set load-balancing reverse-proxy global-parameters max-connections '1100'
set load-balancing reverse-proxy global-parameters tls-version-min 1.2
Viacheslav changed the task status from Open to Needs testing.May 20 2023, 7:32 AM
Viacheslav renamed this task from Add load-balancing based on haproxy to Add load-balancing reverse-proxy based on haproxy .May 20 2023, 8:20 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.

Would you please backport this feature to VyOS 1.3.x?