-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create haproxy-moonfire-tls-client.conf #134
base: master
Are you sure you want to change the base?
Conversation
Added a folder for config examples. And added a config example for using HAProxy using IPv6, TLS, and Client Certs. This also provides for local users without client certs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for sharing your config! A couple comments below.
Also, what are you thoughts on putting it here vs on the wiki? I started the latter as an easy place to add stuff that's not tied to a specific version of the software. Hardware recommendations, general system setup, etc. I'd already written the "Securing Moonfire NVR" guide when I set up the wiki, or I might have added it there instead. It kind of straddles the distinction I set; it refers to some commandline flags and expected headers that might change in a future version, but much of it is about general concepts and software other than Moonfire NVR. We leave it alone, move the whole guide to the wiki, or move just the both examples (my nginx one and your haproxy one).
|
||
|
||
backend moonfire | ||
http-request add-header X-Forwarded-Host %[req.hdr(Host)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moonfire NVR doesn't pay any attention to X-Forwarded-Host
at the moment. Is haproxy changing the original Host
header? If not, you shouldn't need anything like this. You can check what it looks like via the /api/request
endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is me learning about how Moonfire works. This was my first attempt (borrowed from another situation) and it seemed to work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's totally cool. I think with just a couple changes it'll exactly match what Moonfire NVR expects, and we just need to decide between putting it in the repository or the wiki. I'm leaning toward putting it in the wiki, and moving the my nginx example config there too.
# | ||
# Note: I have modified the Systemd unit file to reflect binding to [::1]:8080 | ||
# | ||
# As with anything else, this may be a starting place. Improvements are a neccessity for life. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
case in point: necessity has one c. ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I live in a world where AI smell checking and flying cars already happened.
|
||
frontend https | ||
bind :::443 v6only ssl crt *MYSERVERCERT*.pem verify optional ca-file *MYROOT_CA*.pem crt-ignore-err all ca-ignore-err all | ||
http-request add-header X-Forwarded-Proto https |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like you can do something similar here to pass the original IP address also:
option forwardfor header X-Real-IP
http://cbonte.github.io/haproxy-dconv/2.5/configuration.html#4-option%20forwardfor
Added a folder for config examples. And added a config example for using HAProxy using IPv6, TLS, and Client Certs. This also provides for local users without client certs.