HAProxy provides a way of connecting a (TCP) service that is behind a firewall, or private IP addressing scheme to be publicly available using a public address.
While incoming NAT may be able to achieve the same result (if your firewall provides that function), a proxy has some additional benefits that may be helpful:
(NOTE: HAProxy only proxies TCP packets - there are other solutions that can proxy UDP as well - they may or may not support the HAProxy Proto protocol, so you’ll need to verify that they do if you use it.)
If you are using Synchronet, with a NAT device in front of it, that hides the true “source” IP address, then the HAProxy configuration may help you. One example is if using Synchronet with docker, particularly docker swarm (and possibly Kubernetes as well) - where the running application sees connections from the docker proxy, often 172.17* or 10.*.
NOTE: The assumption is, that if you still use NAT, to connect your incoming connections to HAProxy, that that NAT device is still passing the true source IP address to HAProxy - this feature won’t help you anymore if it isnt.
When the true source IP address is lost, and replaced with the NAT devices source (like what occurs in a docker swarm or kubernetes), any Synchronet configuration you have that relates to the source IP address (IP.CAN, LoginAttempt* configurations, etc), are effectively useless. Even the greeting “You've connectded from ....” will show the incorrect hostname and IP address.
When enabling Synchronet with HAProxy Proto, Synchronet will only accept connections via the Proxy - but when a connection is established, the proxy will tell Synchronet the true source of the connecting client before passing the connection to the client.
This is achieved via HAProxy Protocol - documented here: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
Synchronet supports both v1 and v2 of that protocol, and if using v2 you can also use the Proxy’s “health check” to check that Synchronet is up and accepting connections and if not, redirect the connections to a different backend or even mail you that Synchronet is down.
To configure Synchronet to work with HAProxy, you need to do the following:
EG:
[BBS] Terminal Server ... Options = XTRN_MINIMIZED | ALLOW_RLOGIN | ALLOW_SSH | HAPROXY_PROTO
Configure HAProxy, so that the `backend` server is configured with “send-proxy” or “send-proxy-v2” protocol enabled. (The later being v2 of the protocol.)
(If using v2 of the protocol, you can add “check inter Xs” (where X is a number) to the backend configuration, the proxy will validate the connection every X seconds. If it fails then the proxy can redirect traffic to another backend, or email you.)
Here is an example:
# telnet frontend fe-telnet bind :::23 bind :23 default_backend be-telnet maxconn 9 backend be-telnet balance roundrobin stick-table type ip size 20k expire 30m stick on src server sbbs bbs.lan:23 check inter 60s send-proxy-v2
(You can repeat this for your rlogin, and ssh connections as well.)
This configuration enables the proxy to receive connections on port 23 (using IPv4 or IPv6) and limit it to 9 incoming connections. The proxy will then proxy the connects to the backend host “bbs.lan” also on port 23, using v2 of the HAProxy Proto protocol.
Every 60s the proxy will send a health check connections to the BBS to make sure it is still up. If you configured “email-alerts”, then HAProxy will send you an email if a check fails.
Start HAProxy, and then connect to HAProxy’s IP address to connect to your BBS.