Configure HAProxy to use BRIX behind a reverse proxy

A reverse proxy is used to redirect requests from external users sent to the server in the company’s corporate network. A reversed proxy needs to be installed on the company’s gateway that has:

• At least one public IP address that gets requests from the Internet.
• Connection to the corporate network, for example, 192.168.1.0/24.

• For IPv4: 192.168.1.0/24.
• For IPv6: 2a01:4f8::/64.

To use a reverse proxy, you need to register a domain name and add a DNS A record specifying the reverse proxy’s public IP address. You can register an unlimited number of domain names for one IP address. Then, depending on the domain name, you can distribute the incoming traffic to different servers within the corporate network.

In the example below, we’re using the elma365client.domain.com domain name.

The configuration examples below use:

• The domain name elma365client.domain.com.
• The IPv4 address 192.168.1.10 or the IPv6 address 2a01:4f8::1, where the server with the BRIX application is located.

начало внимание

The BRIX application will not work correctly with port forwarding. This article shows how to use Nginx as the reverse proxy.

конец внимание

Reverse proxy configuration for the BRIX application using HAProxy for an IPv4 network example:

global
    maxconn 10000
    log /dev/log   local0
    log /dev/log   local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
 
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
 
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
defaults
    log   global
    mode   http
    option   httplog
    option   dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
 
frontend elma365_web
    mode http
    bind *:80
    bind *:443 ssl crt /etc/ssl/private/elma365.pem
    redirect scheme https code 301 unless { ssl_fc }
    maxconn 10000
 
    acl elma365 hdr(host) -i elma365client.domain.com
    use_backend elma365_server if elma365
 
backend elma365_server
    mode http
    balance leastconn
    option forwardfor
    option httpclose
    option httpchk HEAD /
    http-check send hdr Host elma365client.domain.com
 
    server elma365-1 192.168.1.10:443 verify none check ssl

Reverse proxy configuration for the BRIX application using HAProxy for an IPv6 network example:

During installation or reconfiguration, in the Enter BRIX domain name (FQDN) or IP address field, specify elma365client.domain.com as the external domain that BRIX will be available at and use the following parameters:

• For On-Premises Standard enable the USE_PROXY_WITH_SSL parameter.
• For On-Premises Enterprise in the values-elma365.yaml file, set the elma365.db.s3.ssl.enabled parameter to true.

Was this helpful?

Thanks for your feedback!

Please specify why:

Recommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

How we can improve it?

YesNo

Please specify whyRecommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

Found a typo? Select it and press Ctrl+Enter to send us feedback