1CDIST-TYPE__HAPROXY_DUALSTACK(7)     cdist    CDIST-TYPE__HAPROXY_DUALSTACK(7)
2
3
4

NAME

6       cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
7

DESCRIPTION

9       This  (singleton)  type  installs  and  configures  haproxy to act as a
10       dual-stack proxy for single-stack services.
11
12       This can be useful to add IPv4 support to IPv6-only services while only
13       using one IPv4 for many such services.
14
15       By  default  this  type uses the plain TCP proxy mode, which means that
16       there is no need for TLS termination on this  host  when  SNI  is  sup‐
17       ported.   This  also  means  that proxied services will not receive the
18       client's IP address, but will see the proxy's IP address instead  (that
19       of $__target_host).
20
21       This  can  be  solved by using the PROXY protocol, but do take into ac‐
22       count that, e.g. nginx cannot serve both regular HTTP(S) and PROXY pro‐
23       tocols on the same port, so you will need to use other ports for that.
24
25       As  a  recommendation  in this type: use TCP ports 8080 and 591 respec‐
26       tively to serve HTTP and HTTPS using the PROXY protocol.
27
28       See the EXAMPLES for more details.
29

OPTIONAL PARAMETERS

31       v4proxy
32              Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
33              In  its  simplest use, it must be a NAME with an AAAA DNS entry,
34              which is the IP address actually providing the proxied services.
35              The  full  format  of  this  argument  is: [proxy:]NAME[[:PROTO‐
36              COL_1=PORT_1]...[:PROTOCOL_N=PORT_N]] Where starting with proxy:
37              determines that the PROXY protocol must be used and each :PROTO‐
38              COL=PORT (e.g. :http=8080 or :https=591) is a PORT override  for
39              the  given  PROTOCOL (see --protocol), if not present the PROTO‐
40              COL's default port will be used.
41
42       v6proxy
43              Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
44              In  its  simplest  use,  it  must be a NAME with an A DNS entry,
45              which is the IP address actually providing the proxied services.
46              See --v4proxy for more options and details.
47
48       protocol
49              Can  be  passed  multiple  times or as a space-separated list of
50              protocols.  Currently  supported  protocols  are:  http,  https,
51              imaps, smtps.  This defaults to: http https imaps smtps.
52

EXAMPLES

54          # Proxy the IPv6-only services so IPv4-only clients can access them
55          # This uses HAProxy's TCP mode for http, https, imaps and smtps
56          __haproxy_dualstack \
57              --v4proxy ipv6.chat \
58              --v4proxy matrix.ungleich.ch
59
60          # Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
61          # Note this means that the backend IPv6-only server will only see
62          # the IPv6 address of the haproxy host managed by cdist, which can be
63          # troublesome if this information is relevant for analytics/security/...
64          # See the PROXY example below
65          __haproxy_dualstack \
66              --protocol http --protocol https \
67              --v4proxy ipv6.chat \
68              --v4proxy matrix.ungleich.ch
69
70          # Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
71          # IPv4-only clients to access them while maintaining the client's IP address
72          __haproxy_dualstack \
73              --protocol http --protocol https \
74              --v4proxy proxy:ipv6.chat:http=8080:https=591 \
75              --v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
76          # Note however that the PROXY protocol is not compatible with regular
77          # HTTP(S) protocols, so your nginx will have to listen on different ports
78          # with the PROXY settings.
79          # Note that you will need to restrict access to the 8080 port to prevent
80          # Client IP spoofing.
81          # This can be something like:
82          # server {
83          #     # listen for regular HTTP connections
84          #     listen [::]:80 default_server;
85          #     listen 80 default_server;
86          #     # listen for PROXY HTTP connections
87          #     listen [::]:8080 proxy_protocol;
88          #     # Accept the Client's IP from the PROXY protocol
89          #     real_ip_header proxy_protocol;
90          # }
91

SEE ALSO

93       • https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
94
95       • https://www.haproxy.com/blog/haproxy/proxy-protocol/
96
97       • https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
98

AUTHORS

100       ungleich <foss--@--ungleich.ch> Evilham <cvs--@--evilham.com>
101

COPYING

103       Copyright  (C)  2021 ungleich glarus ag. You can redistribute it and/or
104       modify it under the terms of the GNU General  Public  License  as  pub‐
105       lished  by  the  Free  Software Foundation, either version 3 of the Li‐
106       cense, or (at your option) any later version.
107

COPYRIGHT

109       ungleich GmbH 2021
110
111
112
113
1147.0.0                            Jul 31, 2022 CDIST-TYPE__HAPROXY_DUALSTACK(7)