/ Linux

Bridge, NAT and Haproxy for Proxmox

Bridge, NAT and Haproxy for Proxmox

Bridge and NAT

Here's a /etc/network/interfaces used for proxmox PVE hypervisor to NAT internet inbound traffic (vmbr0 to a VM (vmbr1

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

iface eth0 inet manual
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

auto vmbr1
iface vmbr1 inet static
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward

    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to
    post-up iptables -t nat -A POSTROUTING -s '' -o vmbr0 -j MASQUERADE

    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to
    post-down iptables -t nat -D POSTROUTING -s '' -o vmbr0 -j MASQUERADE


And here is /etc/haproxy/haproxy.cfg inspired from Mozilla Sec , no https for backend.

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # set default parameters to the modern configuration
        tune.ssl.default-dh-param 2048
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend f_yunohost
        default_backend b_yunohost
        bind    :80
        # bind    :443 ssl crt /path/to/<cert+privkey+intermediate+dhparam>
        # redirect scheme https code 301 if !{ ssl_fc }
        # # HSTS (15768000 seconds = 6 months)
        # rspadd  Strict-Transport-Security:\ max-age=15768000

backend b_yunohost
        server yunohost check