I’m trying to set this up for myself and am having trouble with the plex server config. I have confirmed that the server is running and I can reach it from the outside on the port specified in the backend but I keep getting the error:
parsing [/etc/haproxy/haproxy.cfg:75] : ‘server XXX.XXX.XXX.XXX:50003’ : could not resolve address ‘check’.
Failed to initialize server(s) addr.
IP’s XXX’d for security. I can’t figure out for the life of me what the problem is. I’m going to guess that I’ve missed something stupid but I’m just not seeing it. I’ve used the example provided here just changing the relevant details for my environment.
Typo? It thinks check is a hostname rather than an haproxy directive. Double check haproxy docs on syntax or possibly i might have a typo but I can dive in later
As I said I did something stupid… Left it and came back to it for the 4th or 5th time and I was missing the name parameter on the backend. Sad part is I reviewed that I don’t know how many times. It’s what I get for working on this after hours of mind numbing repetitive tasks. Now if I can just get HAProxy-WI to attach to it, make my life easier.
Hey, potentially dumb question, but HAProxy should be installed on the “cloud” server and nginx on the local machine, right? So HAProxy connects to nginx and then nginx routes you to your local assets
As someone with limited security experience, would it not be safer to run HAProxy in the “cloud” and direct all the http traffic to a single port and reverse proxy it at your home? That way there is only 1 or 2 open ports on your home network rather than a port for every service?
It depends how you do it, for example like Wendell explained in the video if you setup the firewall rules to only allow requests from the IP of your cloud server the ports are closed to all traffic besides that of the cloud server that is proxying the traffic to you, ideally you would have a VPN like wiregard on the cloud server and just directly forward the traffic over that. The only thing you want to be sure of with the firewall approach is that your servers IP address is always the same.
What would be the benefit of HAProxy over using just Apache or NGINX and having everything proxy back to your home be work over a single high use port?
Saying something like: linode running Apache (request for xxx.domain.com) reverse proxy -> traffic forwarded to home network over port 88403 -> Apache web server listening on port 88403 -> request sent to web application
Then lockdown what IP comes in to that Apache web host on the home lan.
I’m slightly confused as to why NGINX and HAProxy are both being utilized. Can this all be accomplished with just NGINX?
Would the following setup be possible?
DNS records pointing to LINODE_IP:
Linode instance running NGINX, listens on ports 80/443.
All Linode port 80 traffic returned to Linode port 443.
NGINX server blocks for each server_name listening on 443, forwarding to HOME_ISP_IP:RANDOM_HIGH_PORT.
Home firewall only accepts traffic from LINODE_IP on RANDOM_HIGH_PORT, and forwards to applicable service HOME_INTERNAL_IP:PORT.
This seems like it would be straightforward for un-encrypted port 80 traffic. However, for encrypted port 443 traffic would it require having your SSL certificate installed on both the Linode instance and home server machine accepting the traffic behind your firewall?
Just looking to simplify this process a little bit, but I am not fully comfortable with the SSL aspect of the reverse proxy functionality.
Good thinking. In the past nginx wouldn’t do certain things but a simple setup like this doesn’t matter too much.
Occasionally I fatfinger nginx config and I like that haproxy will continue to run even with any config problem I might have created for myself on the nginx side.
It’s a bit of a chicken-and-egg for the initial ssl config and nginx. Not sure of you can tell nginx to continue anyway if it can’t find ssl certs and at least run on port 80. Otherwise you initially don’t have any ssl certs to either start with a simplified config, use certbot as a webserver temporarily, or something like that. Haproxy obviates that initial setup problem…tho once you’ve got any certs, even expired ones, it’s fine
Well I am not sure nginx will be smart enough to detect certain tyoes of configuration specific error. But it has a built in syntax validity checker by running nginx -t. That just statically parses your modified config file and does not require restarting the running daemon.
And that is a useful feature of nginx. So I would be surprised if there was not also an automatic linter plugin available for sublime text or VSCode. To repeatedly rerun the syntax checker during live editing. Surely that would be a worthwhile tool to help?
haproxy-wi has a little versioning thing as it’s way of dealing with the nginx problem – making it easy to roll back. You can have a perfectly syntactically valid configuration that behaves unexpectedly, too. I think the best solution would be an option (which may exist) that if it encounters a problem like missing ssl certs, that it continue on for other services that can run. and if you have a conf.d folder where all files are included, only the specific sites with configuration issues bomb out.
of course much like the how-to outlined here, it sort of becomes a bit of a scope creep as to how it was handled.
I remember once, with apache, an innocuous configuration change resulted in a site outage. The root problem was that, in the days before sni, the default site just happened to be the first one that was loaded in the config but some config change meant that the “hello welcome to apache” virtual host became the primary site instead through some kind of catch-all. Perfectly syntactically valid and yet not all the intended result. I think this ended up being an issue down to the way that files or directories were parsed, and why some distros add a numeric prefix to the config files in case things load out of order. In some respects this was initially a not-perfectly-valid config that happend to work in some scenarios, but not every scenario.
In general I like the philosophy of the proxy-components being separated from the file-serving components, but it is more personal preference at this point than functionality gaps as it had been in the past.
I would very much like to embark on this journey. It is beyond my capabilities but I am willing to work at it and love to learn. I have a FQDN and understand how to configure the A record as Wendell writes. I have a Linode account and ready to setup a Linode. A few questions before I begin.
Does it matter what distribution I use for the Linode. I am most comfortable with Ubuntu. Is that acceptable? What would be the appropriate Linode plan to choose? My setup will be pretty much as Wendell describes. For starters let’s assume Plex and NextCloud.
Wendell mentions using PfSense for HA proxy. I am confused by this as I thought HA proxy is installed on the Linode. I realize this question reveals my lack of knowledge, but no one learns without asking. Do I also need to use HA proxy on pfSense.
3.The instructions mention Docker. I have a vague idea what this is but have never used it. I do run FreeNAS and have jails running. I assume it is similar to that.
That’s enough questions for now. If it seems that I a too much of a noob to take this on feel free to tell me to bug off. I would like to try, but I don’t want to be a burden. I will happily disappear into the ether if told to do so. TIA
It does not really matter, assuming that you are using a recent version. Ubuntu would be fine.
If you are just running HAProxy on the Linode, you would be more limited by bandwidth per month than anything, in general. I think even their cheapest plan would have enough CPU and ram for HAProxy, although HAProxy-WI might want a bit more RAM.
There are similar in a number of ways, how the underlying technology works is a bit different. For what they are used for, they are the same.
PFSense user here. So should I have locally running haproxy plugin route *.domain.com traffic locally and just use the cloud box to forward all traffic, effectively masking my home ip?
im confused on if you installed and route traffic from the linode box’s hasproxy or if you installed locally?
In pfsense case you can do it either way – straight nat a bunch of ports for each service only allowed from one ip OR use haproxy on pfsense and just setup a 1:1 proxy on linode.
This would be cool but I couldn’t get my router to do port forwarding. Turns out here in Australia, 4G connections do not get given public ip addresses as it is behind some sort of NAT. (not a network engineer so I don’t really understand how that all works)
How would I be able to set this up without the port forwarding?
