Home / user-1148070

OrkoPaede's questions

Martin Hope
OrkoPaede
Asked: 2024-10-07 04:37:59 +0800 CST
  • 4

Here comes a probably strange question that is probably also wrongly asked.

I have the following network structure/plan...:

enter image description here

The idea is that someone who is responsible/authorized for network 1 and domain1.com has their own Rev. Proxy that they manage and take care of SSL certificates. The same applies to network 2.

The question is, is this even possible? Unfortunately, I'm not very familiar with SSL and proxies. I suspect that the Rev. Proxy that holds the SSL certificates must form the frontend.? If that's the case, it probably wouldn't work anyway. Then the question is whether there is another way? A kind of NAT based on http/https? Sounds a bit off... But I think the idea is clear.

If it were basically possible, then the question would be whether the order HaProxy->Nginx is the right one? And whether anyone can give me a tip or link on how to configure the frontend proxy correctly.

Thank you very much for your answers.

Update: For those who have something similar in mind, the haproxy config:

# Automaticaly generated, dont edit manually.
# Generated on: 2024-10-07 20:55
global
    maxconn         1000
    stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    uid         80
    gid         80
    nbthread            1
    hard-stop-after     15m
    chroot              /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param   2048
    server-state-file /tmp/haproxy_server_state

frontend Front
    bind            your_public_ip:80 name your_public_ip:80   
    bind            your_public_ip:443 name your_public_ip:443   
    mode            tcp
    log         global
    timeout client      30000
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    acl         app1    req_ssl_sni -m end domain1.de
    acl         app2    req_ssl_sni -m end domain2.de
    use_backend Domain1_ipvANY  if  app1 
    use_backend Domain2_ipvANY  if  app2 

backend Domain1_ipvANY
    mode            tcp
    id          100
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    load-server-state-from-file global
    stick-table type binary len 32 size 30k expire 30m
    
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2
    
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello
    
    tcp-response content accept if serverhello
    
    stick on payload_lv(43,1) if clienthello
    
    stick store-response payload_lv(43,1) if serverhello
    server          ProxyMan 192.168.7.1:8443 id 102 check inter 1000

backend Domain2_ipvANY
    mode            tcp
    id          100
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    load-server-state-from-file global
    stick-table type binary len 32 size 30k expire 30m
    
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2
    
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello
    
    tcp-response content accept if serverhello
    
    stick on payload_lv(43,1) if clienthello
    
    stick store-response payload_lv(43,1) if serverhello
    server          ProxyMan 192.168.8.1:8443 id 103 check inter 1000
nginx