ELMA365 On-Premises > Other > Configuration / Configure HAProxy to use ELMA365 behind a reverse proxy

Configure HAProxy to use ELMA365 behind a reverse proxy

A reverse proxy is used to redirect requests from external users sent to the server in the company’s corporate network. A reversed proxy needs to be installed on the company’s gateway that has:

  • At least one public IP address that gets requests from the Internet.
  • Connection to the corporate network, for example, 192.168.1.0/24.

To use a reverse proxy, you need to register a domain name and add a DNS A record specifying the reverse proxy’s public IP address. You can register an unlimited number of domain names for one IP address. Then, depending on the domain name, you can distribute the incoming traffic to different servers within the corporate network.

In the example below, we’re using the elma365client.domain.com domain name.

The example server with the ELMA365 application is located at the following IP address in the corporate network: 192.168.1.10.

начало внимание

The ELMA365 application will not work correctly with port forwarding. This article shows how to use Nginx as the reverse proxy.

конец внимание

Here is an example of HAProxy reverse proxy configuration for the ELMA365 application:

global
   maxconn 10000
   log /dev/log   local0
   log /dev/log   local1 notice
   chroot /var/lib/haproxy
   stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
   stats timeout 30s
   user haproxy
   group haproxy
   daemon
 
   ca-base /etc/ssl/certs
   crt-base /etc/ssl/private
 
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
defaults
   log   global
   mode   http
   option   httplog
   option   dontlognull
   timeout connect 5000
   timeout client  50000
   timeout server  50000
   errorfile 400 /etc/haproxy/errors/400.http
   errorfile 403 /etc/haproxy/errors/403.http
   errorfile 408 /etc/haproxy/errors/408.http
   errorfile 500 /etc/haproxy/errors/500.http
   errorfile 502 /etc/haproxy/errors/502.http
   errorfile 503 /etc/haproxy/errors/503.http
   errorfile 504 /etc/haproxy/errors/504.http
 
frontend elma365_web
       mode http
       bind *:80
       bind *:443 ssl crt /etc/ssl/private/elma365.pem
       redirect scheme https code 301 unless { ssl_fc }
       maxconn 10000
 
       acl elma365 hdr(host) -i elma365client.domain.com
       use_backend elma365_server if elma365
 
backend elma365_server
       mode http
       balance leastconn
       option forwardfor
       option httpclose
       option httpchk HEAD /
 
       server elma365-1 192.168.1.10:443 verify none check ssl

During installation or reconfiguration, in the Enter ELMA365 domain name (FQDN) or IP address field, specify elma365client.domain.com as the external domain that ELMA365 will be available at and enable SSL termination.

Found a typo? Highlight the text, press ctrl + enter and notify us