I have a similar setup and I just have the reverse proxy on the VPS. It then proxies back to the home server on whatever port the service is on. And yes you can forward the original client IP if you wish.
Comment on Cloudflare is bad. Youre right.
madasi@lemmy.dbzer0.com 4 months agoDoes this cause all traffic at the reverse proxy to appear to come from the source IP of your VPS or does it preserve the original source IP?
I’ve been working on setting up a similar setup myself and am trying to figure out specifically how to handle the forwarding on the VPS.
EncryptKeeper@lemmy.world 4 months ago
possiblylinux127@lemmy.zip 4 months ago
It depends on how you set it up
maiskanzler@feddit.de 4 months ago
Yes, I do loose the origin IP and I’m a little bugged by it. It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware. That’s totally my personal preference though.
I trust my VPS provider to not be interested enough in my data to setup special surveillance tooling for each and every possible software combination their customers might have. Cloudflare on the other hand only has their own software stack to monitor and all customers must adhere to it. It’s by design much easier for them to do statistics or snooping.
towerful@programming.dev 4 months ago
You can do reverse proxy on the VPS and use CNI routing (because the requested domain is in clear text over HTTPS), then use Proxy Protocol to attach the real source IP to the TCP packets.
This way, you don’t have to terminate HTTPS on the VPS, and you can load balance between a couple wireguard peers so you have redundancy (or direct them to different reverse proxies or whatever).
On your home servers, you will need an additional frontend(s) that accepts Proxy Protocol from the VPS (as Proxy Protocol packets aren’t standard HTTP/S packets, so standard HTTPS reverse proxies will drop them as unknown/broken/etc).
This way, your home reverse proxy knows the original IP and can attach it to the decrypted http requests as x-forward-for. Or you can do ACLs based on original client IP. Or whatever.I haven’t found a way to get a firewall that pays attention to Proxy Protocol TCP headers, but I haven’t found that to really be an issue. I don’t really have a use case
maiskanzler@feddit.de 4 months ago
Oh neat! That looks like a perfect fit for me! I saved your post and will come back to it once the biyearly “just f*ing fo it again” motivation hits me once more :D
Perhyte@lemmy.world 4 months ago
It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware.
For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.
This StackOverflow thread shows how to set that up for a few different proxy setups.
maiskanzler@feddit.de 4 months ago
Nice, thank you!
SeeJayEmm@lemmy.procrastinati.org 4 months ago
Enough people have already commented on the “proxy at the vps solution”. Another option is to configure routing and nat on the VPS and have it route over the wg tunnel.
Requires you to have postup/predown scripts that modify your routing tables on the wg endpoint.
lucky18391@lemdro.id 4 months ago
I also have a similar setup to OP. But I use iptables to forward the traffic over wireguard and I am able to preserve the original client IP by not snat the packets. I then have to use policy based routing to make sure that traffick goes back out through the wg tunnel.
I’m happy to share info on how to get this working.
MigratingtoLemmy@lemmy.world 4 months ago
I’d like a blog please
madasi@lemmy.dbzer0.com 4 months ago
I’d certainly be interested in full details. This sounds like the best of all worlds of not needing to double reverse proxy, not hardcoding internal IPs in the config of a single reverse proxy on the VPS, and not losing the source IP.
sntx@lemm.ee 4 months ago
Please tell ^^
lucky18391@lemdro.id 4 months ago
I’m not sure what the best way to share this info is. I’d love to write up a blog but not sure how long that would take. I suppose I could just share the wireguard configs here as they include the iptable commands. Will do that tonight when I get a chance.