Configure HAProxy to use BRIX behind a reverse proxy

A reverse proxy is used to redirect requests from external users sent to the server in the company’s corporate network. A reversed proxy needs to be installed on the company’s gateway that has:

• At least one public IP address that gets requests from the Internet.
• Connection to the corporate network, for example:

• For IPv4: 192.168.1.0/24.
• For IPv6: 2a01:4f8::/64.

To use a reverse proxy, you need to register a domain name and add a DNS A record specifying the reverse proxy’s public IP address. You can register an unlimited number of domain names for one IP address. Then, depending on the domain name, you can distribute the incoming traffic to different servers within the corporate network.

In the example below, we’re using the elma365client.domain.com domain name.

The configuration examples below use:

• The domain name elma365client.domain.com.
• The IPv4 address 192.168.1.10 or the IPv6 address 2a01:4f8::1, where the server with the BRIX application is located.

начало внимание

The BRIX application will not work correctly with port forwarding. This article shows how to use HAProxy as a reverse proxy server..

конец внимание

Reverse proxy configuration for the BRIX application using HAProxy for an IPv4 network example:

global
   maxconn 10000
   log /dev/log   local0
   log /dev/log   local1 notice
   chroot /var/lib/haproxy
   stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
   stats timeout 30s
   user haproxy
   group haproxy
   daemon
 
   ca-base /etc/ssl/certs
   crt-base /etc/ssl/private
 
   ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
   ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
defaults
   log   global
   mode   http
   option   httplog
   option   dontlognull
   timeout connect 5000
   timeout client  50000
   timeout server  50000
   errorfile 400 /etc/haproxy/errors/400.http
   errorfile 403 /etc/haproxy/errors/403.http
   errorfile 408 /etc/haproxy/errors/408.http
   errorfile 500 /etc/haproxy/errors/500.http
   errorfile 502 /etc/haproxy/errors/502.http
   errorfile 503 /etc/haproxy/errors/503.http
   errorfile 504 /etc/haproxy/errors/504.http
 
frontend elma365_web
   mode http
   bind *:80
   bind *:443 ssl crt /etc/ssl/private/elma365.pem
   redirect scheme https code 301 unless { ssl_fc }
   maxconn 10000
 
   acl elma365 hdr(host) -i elma365client.domain.com
   use_backend elma365_server if elma365
 
backend elma365_server
   mode http
   balance leastconn
   option forwardfor
   option httpclose
   option httpchk HEAD /
   http-check send hdr Host elma365client.domain.com
 
   server elma365-1 192.168.1.10:443 verify none check ssl

Reverse proxy configuration for the BRIX application using HAProxy for an IPv6 network example

During installation or reconfiguration, in the Enter BRIX domain name (FQDN) or IP address field, specify elma365client.domain.com as the external domain that BRIX will be available at and use the following parameters:

• For On-Premises Standard enable the USE_PROXY_WITH_SSL parameter.
• For On-Premises Enterprise in the values-elma365.yaml file, set the elma365.db.s3.ssl.enabled parameter to true.

Was this helpful?

Thanks for your feedback!

Please specify why:

Recommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

How we can improve it?

YesNo

Please specify whyRecommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

Found a typo? Select it and press Ctrl+Enter to send us feedback