Table of Contents
HAProxy provides a way of connecting a (TCP) service that is behind a firewall, or private IP addressing scheme to be publicly available using a public address.
While incoming NAT may be able to achieve the same result (if your firewall provides that function), a proxy has some additional benefits that may be helpful:
- it can connect to multiple targets for any incoming connection, enabling you to spread the workload to multiple backends. Or even move the backend around only requiring to reconfigure the proxy to point to the new backend address.
- do some level of filtering based on the number of, or frequency of, connections from a particular source, so that the backend can be protected from (some level of) front end abuse.
- Depending on the proxy, you might get a nice stats GUI giving you an idea of how your frontend and backend is performing. (HAProxy provides a useful web status gui.)
(NOTE: HAProxy only proxies TCP packets - there are other solutions that can proxy UDP as well - they may or may not support the HAProxy Proto protocol, so you’ll need to verify that they do if you use it.)
If you are using Synchronet, with a NAT device in front of it, that hides the true “source” IP address, then the HAProxy configuration may help you. One example is if using Synchronet with docker, particularly docker swarm (and possibly Kubernetes as well) - where the running application sees connections from the docker proxy, often 172.17* or 10.*.
NOTE: The assumption is, that if you still use NAT, to connect your incoming connections to HAProxy, that that NAT device is still passing the true source IP address to HAProxy - this feature won’t help you anymore if it isnt.
When the true source IP address is lost, and replaced with the NAT devices source (like what occurs in a docker swarm or kubernetes), any Synchronet configuration you have that relates to the source IP address (IP.CAN, LoginAttempt* configurations, etc), are effectively useless. Even the greeting “You've connectded from ....” will show the incorrect hostname and IP address.
When enabling Synchronet with HAProxy Proto, Synchronet will only accept connections via the Proxy - but when a connection is established, the proxy will tell Synchronet the true source of the connecting client before passing the connection to the client.
This is achieved via HAProxy Protocol - documented here: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
Synchronet supports both v1 and v2 of that protocol, and if using v2 you can also use the Proxy’s “health check” to check that Synchronet is up and accepting connections and if not, redirect the connections to a different backend or even mail you that Synchronet is down.
Step 1: Configuring Synchronet to use the HAProxy Proto
To configure Synchronet to work with HAProxy, you need to do the following:
- Add HAPROXY_PROTO to your options configuration for [BBS]. (Note, enabling this will disable your ability connect to the Synchronet directly on any of the BBS ports - ie: connections *must* come via the proxy, and the proxy protocol must be enabled.)
[BBS] Terminal Server ... Options = XTRN_MINIMIZED | ALLOW_RLOGIN | ALLOW_SSH | HAPROXY_PROTO
Step 2: Configuring HAProxy
Configure HAProxy, so that the `backend` server is configured with “send-proxy” or “send-proxy-v2” protocol enabled. (The later being v2 of the protocol.)
(If using v2 of the protocol, you can add “check inter Xs” (where X is a number) to the backend configuration, the proxy will validate the connection every X seconds. If it fails then the proxy can redirect traffic to another backend, or email you.)
Here is an example:
# telnet frontend fe-telnet bind :::23 bind :23 default_backend be-telnet maxconn 9 backend be-telnet balance roundrobin stick-table type ip size 20k expire 30m stick on src server sbbs bbs.lan:23 check inter 60s send-proxy-v2
(You can repeat this for your rlogin, and ssh connections as well.)
This configuration enables the proxy to receive connections on port 23 (using IPv4 or IPv6) and limit it to 9 incoming connections. The proxy will then proxy the connects to the backend host “bbs.lan” also on port 23, using v2 of the HAProxy Proto protocol.
Every 60s the proxy will send a health check connections to the BBS to make sure it is still up. If you configured “email-alerts”, then HAProxy will send you an email if a check fails.
Start HAProxy, and then connect to HAProxy’s IP address to connect to your BBS.
- You need to be running a build of Synchronet that was built after 22nd Nov, 2020.
- When HAPROXY_PROTO is used, the Synchronet will no longer accept direct connections to your SSH, Telnet or Rlogin ports. You'll need to connect to Synchronet via the proxy. If you want to revert your configuration so that you can connect directly, just remove the HAPROXY_PROTO option from your *BBS* stanza.
- HAPRoxy can only proxy TCP connections, so if you want to use any of the UDP prots, you'll need to continue to use your NAT setup for those ports (or find a proxy that can handle NAT as well).
Other Useful items
- If you add an email-alert configuration, HAProxy can email you if Synchronet stops responding (if you enable the health check).
- If you dont want to use the health check, just remove the *check inter Xs* from the server configuration