VyOS as a Reverse Proxy Load Balancer
VyOS, the robust open-source network operating system, has recently introduced an exciting new capability – the ability to function as a load-balancing reverse proxy. This integration leverages the power of HAproxy, a battle-tested proxy server, and load balancer, providing VyOS with powerful reverse proxy and application load balancing functionality. While this integration is still in its early stages, and lacks many features, it presents exciting features that will hopefully improve with time.
My particular use case for this feature is to allow me to host services at home, despite being behind CGNAT.
In my previous articles, I described how to configure a site-to-site VPN between two VyOS routers. This is effectively how I bypass my ISPs CGNAT.
I have the VyOS router that lives in the data centre running HAProxy, and reverse proxying all requests back to home lab.
In this article, I will detail the steps to confgure VyOS as a load-balancing reverse proxy.
Configuring VyOS
Lets start with first creating the services, which tell HAProxy which ports to bind to.
As I would like to terminate SSL on my home Kubernetes cluster, I have configured HAProxy to run in TCP mode, on both port 80 and 443:
# set load-balancing reverse-proxy service http mode 'tcp'
# set load-balancing reverse-proxy service http port '80'
# set load-balancing reverse-proxy service https mode 'tcp'
# set load-balancing reverse-proxy service https port '443'
Next we can define our backends.
I define two backends, for HTTP and HTTPs:
# set load-balancing reverse-proxy backend ingress-home-http description 'Home K8S HTTP Ingress'
# set load-balancing reverse-proxy backend ingress-home-http mode 'tcp'
# set load-balancing reverse-proxy backend ingress-home-http server ingress-home address '10.254.95.0'
# set load-balancing reverse-proxy backend ingress-home-http server ingress-home check
# set load-balancing reverse-proxy backend ingress-home-http server ingress-home port '80'
# set load-balancing reverse-proxy backend ingress-home-http server ingress-home send-proxy-v2
# set load-balancing reverse-proxy backend ingress-home-http timeout check '10'
# set load-balancing reverse-proxy backend ingress-home-http timeout connect '5'
# set load-balancing reverse-proxy backend ingress-home-http timeout server '180'
# set load-balancing reverse-proxy backend ingress-home-https description 'Home K8S HTTPS Ingress'
# set load-balancing reverse-proxy backend ingress-home-https mode 'tcp'
# set load-balancing reverse-proxy backend ingress-home-https server ingress-home address '10.254.95.0'
# set load-balancing reverse-proxy backend ingress-home-https server ingress-home check
# set load-balancing reverse-proxy backend ingress-home-https server ingress-home port '443'
# set load-balancing reverse-proxy backend ingress-home-https server ingress-home send-proxy-v2
# set load-balancing reverse-proxy backend ingress-home-https timeout check '10'
# set load-balancing reverse-proxy backend ingress-home-https timeout connect '5'
# set load-balancing reverse-proxy backend ingress-home-https timeout server '180'
Not the send-proxy-v2 option. This configures HAProxy to send traffic to the backends using the PROXY protocol, which preserves the client IP address. You can read more about the PROXY protocol on the HAProxy Blog post titled “Use the Proxy Protocol to Preserve a Client’s IP Address”.
I am using Traefik as my ingress service on my home kubernetes cluster, which does support the PROXY protocol.
Next, we can direct connect the services to the backends:
set load-balancing reverse-proxy service http backend 'ingress-home-http'
set load-balancing reverse-proxy service https backend 'ingress-home-https'
Don’t forget to apply the configuration using the commit
command!
And that’s all there is to it!
Your internal services should now be accessible via the public IP address of your VyOS router.
Conclusion
While VyOS’ integration with HAproxy is still in its early stages, it holds great promise for those looking to harness its potential.
Our exploration began with my use case and goal of overcoming the challenges posed by CGNAT (Carrier-Grade Network Address Translation) to host services from home. We discussed how this feature could be a game-changer, and we detailed the steps to configure VyOS as a load-balancing reverse proxy.
As we conclude this journey, it’s worth noting that this configuration is only scratching the surface of functionality that HAProxy offers, and while VyOS’ integration with HAProxy is still in early stages, there are still more advanced HAProxy features that have been integrated that I have not used in this guide, which you can explore in-depth through the VyOS documentation.
This article has been a glimpse into the possibilities of VyOS as a load-balancing reverse proxy, and I hope it sets you on a path of innovation and networking excellence. Whether you’re a seasoned networking enthusiast or just getting started, VyOS is is an excelent tool to have at your disposal.
In the ever-evolving landscape of networking, VyOS continues to be a driving force, and I’m excited to see how this feature evolves in the future.
Posts in this series
- VyOS as a Reverse Proxy Load Balancer
- VyOS - WireGuard Based Road Warrior VPN Configuration
- VyOS - Site-to-Site VPN Using Wireguard and OSPF