summaryrefslogtreecommitdiffstats
path: root/docs/Running-behind-haproxy.md
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 02:57:58 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 02:57:58 +0000
commitbe1c7e50e1e8809ea56f2c9d472eccd8ffd73a97 (patch)
tree9754ff1ca740f6346cf8483ec915d4054bc5da2d /docs/Running-behind-haproxy.md
parentInitial commit. (diff)
downloadnetdata-upstream/1.44.3.tar.xz
netdata-upstream/1.44.3.zip
Adding upstream version 1.44.3.upstream/1.44.3upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/Running-behind-haproxy.md')
-rw-r--r--docs/Running-behind-haproxy.md297
1 files changed, 297 insertions, 0 deletions
diff --git a/docs/Running-behind-haproxy.md b/docs/Running-behind-haproxy.md
new file mode 100644
index 00000000..4c9c32cc
--- /dev/null
+++ b/docs/Running-behind-haproxy.md
@@ -0,0 +1,297 @@
+<!--
+title: "Netdata via HAProxy"
+custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/Running-behind-haproxy.md"
+sidebar_label: "Netdata via HAProxy"
+learn_status: "Published"
+learn_topic_type: "Tasks"
+learn_rel_path: "Configuration/Secure your nodes"
+-->
+
+# Netdata via HAProxy
+
+> HAProxy is a free, very fast and reliable solution offering high availability, load balancing,
+> and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic websites
+> and powers quite a number of the world's most visited ones.
+
+If Netdata is running on a host running HAProxy, rather than connecting to Netdata from a port number, a domain name can
+be pointed at HAProxy, and HAProxy can redirect connections to the Netdata port. This can make it possible to connect to
+Netdata at `https://example.com` or `https://example.com/netdata/`, which is a much nicer experience then
+`http://example.com:19999`.
+
+To proxy requests from [HAProxy](https://github.com/haproxy/haproxy) to Netdata,
+the following configuration can be used:
+
+## Default Configuration
+
+For all examples, set the mode to `http`
+
+```conf
+defaults
+ mode http
+```
+
+## Simple Configuration
+
+A simple example where the base URL, say `http://example.com`, is used with no subpath:
+
+### Frontend
+
+Create a frontend to receive the request.
+
+```conf
+frontend http_frontend
+ ## HTTP ipv4 and ipv6 on all ips ##
+ bind :::80 v4v6
+
+ default_backend netdata_backend
+```
+
+### Backend
+
+Create the Netdata backend which will send requests to port `19999`.
+
+```conf
+backend netdata_backend
+ option forwardfor
+ server netdata_local 127.0.0.1:19999
+
+ http-request set-header Host %[src]
+ http-request set-header X-Forwarded-For %[src]
+ http-request set-header X-Forwarded-Port %[dst_port]
+ http-request set-header Connection "keep-alive"
+```
+
+## Configuration with subpath
+
+An example where the base URL is used with a subpath `/netdata/`:
+
+### Frontend
+
+To use a subpath, create an ACL, which will set a variable based on the subpath.
+
+```conf
+frontend http_frontend
+ ## HTTP ipv4 and ipv6 on all ips ##
+ bind :::80 v4v6
+
+ # URL begins with /netdata
+ acl is_netdata url_beg /netdata
+
+ # if trailing slash is missing, redirect to /netdata/
+ http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
+
+ ## Backends ##
+ use_backend netdata_backend if is_netdata
+
+ # Other requests go here (optional)
+ # put netdata_backend here if no others are used
+ default_backend www_backend
+```
+
+### Backend
+
+Same as simple example, except remove `/netdata/` with regex.
+
+```conf
+backend netdata_backend
+ option forwardfor
+ server netdata_local 127.0.0.1:19999
+
+ http-request set-path %[path,regsub(^/netdata/,/)]
+
+ http-request set-header Host %[src]
+ http-request set-header X-Forwarded-For %[src]
+ http-request set-header X-Forwarded-Port %[dst_port]
+ http-request set-header Connection "keep-alive"
+```
+
+## Using TLS communication
+
+TLS can be used by adding port `443` and a cert to the frontend.
+This example will only use Netdata if host matches example.com (replace with your domain).
+
+### Frontend
+
+This frontend uses a certificate list.
+
+```conf
+frontend https_frontend
+ ## HTTP ##
+ bind :::80 v4v6
+ # Redirect all HTTP traffic to HTTPS with 301 redirect
+ redirect scheme https code 301 if !{ ssl_fc }
+
+ ## HTTPS ##
+ # Bind to all v4/v6 addresses, use a list of certs in file
+ bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
+
+ ## ACL ##
+ # Optionally check host for Netdata
+ acl is_example_host hdr_sub(host) -i example.com
+
+ ## Backends ##
+ use_backend netdata_backend if is_example_host
+ # Other requests go here (optional)
+ default_backend www_backend
+```
+
+In the cert list file place a mapping from a certificate file to the domain used:
+
+`/etc/letsencrypt/certslist.txt`:
+
+```txt
+example.com /etc/letsencrypt/live/example.com/example.com.pem
+```
+
+The file `/etc/letsencrypt/live/example.com/example.com.pem` should contain the key and
+certificate (in that order) concatenated into a `.pem` file.:
+
+```sh
+cat /etc/letsencrypt/live/example.com/fullchain.pem \
+ /etc/letsencrypt/live/example.com/privkey.pem > \
+ /etc/letsencrypt/live/example.com/example.com.pem
+```
+
+### Backend
+
+Same as simple, except set protocol `https`.
+
+```conf
+backend netdata_backend
+ option forwardfor
+ server netdata_local 127.0.0.1:19999
+
+ http-request add-header X-Forwarded-Proto https
+ http-request set-header Host %[src]
+ http-request set-header X-Forwarded-For %[src]
+ http-request set-header X-Forwarded-Port %[dst_port]
+ http-request set-header Connection "keep-alive"
+```
+
+## Enable authentication
+
+To use basic HTTP Authentication, create an authentication list:
+
+```conf
+# HTTP Auth
+userlist basic-auth-list
+ group is-admin
+ # Plaintext password
+ user admin password passwordhere groups is-admin
+```
+
+You can create a hashed password using the `mkpassword` utility.
+
+```sh
+ printf "passwordhere" | mkpasswd --stdin --method=sha-256
+$5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1
+```
+
+Replace `passwordhere` with hash:
+
+```conf
+user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
+```
+
+Now add at the top of the backend:
+
+```conf
+acl devops-auth http_auth_group(basic-auth-list) is-admin
+http-request auth realm netdata_local unless devops-auth
+```
+
+## Full Example
+
+Full example configuration with HTTP auth over TLS with subpath:
+
+```conf
+global
+ maxconn 20000
+
+ log /dev/log local0
+ log /dev/log local1 notice
+ user haproxy
+ group haproxy
+ pidfile /run/haproxy.pid
+
+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+ stats timeout 30s
+ daemon
+
+ tune.ssl.default-dh-param 4096 # Max size of DHE key
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+ ssl-default-bind-options no-sslv3
+
+defaults
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+frontend https_frontend
+ ## HTTP ##
+ bind :::80 v4v6
+ # Redirect all HTTP traffic to HTTPS with 301 redirect
+ redirect scheme https code 301 if !{ ssl_fc }
+
+ ## HTTPS ##
+ # Bind to all v4/v6 addresses, use a list of certs in file
+ bind :::443 v4v6 ssl crt-list /etc/letsencrypt/certslist.txt
+
+ ## ACL ##
+ # Optionally check host for Netdata
+ acl is_example_host hdr_sub(host) -i example.com
+ acl is_netdata url_beg /netdata
+
+ http-request redirect scheme https drop-query append-slash if is_netdata ! { path_beg /netdata/ }
+
+ ## Backends ##
+ use_backend netdata_backend if is_example_host is_netdata
+ default_backend www_backend
+
+# HTTP Auth
+userlist basic-auth-list
+ group is-admin
+ # Hashed password
+ user admin password $5$l7Gk0VPIpKO$f5iEcxvjfdF11khw.utzSKqP7W.0oq8wX9nJwPLwzy1 groups is-admin
+
+## Default server(s) (optional)##
+backend www_backend
+ mode http
+ balance roundrobin
+ timeout connect 5s
+ timeout server 30s
+ timeout queue 30s
+
+ http-request add-header 'X-Forwarded-Proto: https'
+ server other_server 111.111.111.111:80 check
+
+backend netdata_backend
+ acl devops-auth http_auth_group(basic-auth-list) is-admin
+ http-request auth realm netdata_local unless devops-auth
+
+ option forwardfor
+ server netdata_local 127.0.0.1:19999
+
+ http-request set-path %[path,regsub(^/netdata/,/)]
+
+ http-request add-header X-Forwarded-Proto https
+ http-request set-header Host %[src]
+ http-request set-header X-Forwarded-For %[src]
+ http-request set-header X-Forwarded-Port %[dst_port]
+ http-request set-header Connection "keep-alive"
+```
+
+