(looking for feedback) HTTP(S) reverse proxy

selfhoster1312 · January 8, 2023, 6:44pm

ynh_reverseproxy

Overview

A simple, no-dependency HTTP(S) reverse-proxy application for Yunohost. Install from https://github.com/YunoHost-Apps/reverseproxy_ynh (only for testing).

Description

I forked redirect_ynh because i wanted the reverse proxy to serve static files from a preset directory without my backend application having to take care of that.

We could add other features in the future. What do you find useful?

Problems

the backend application needs to have configuration for the base URL, otherwise it will build invalid links (like example.com/style.css instead of example.com/proxy/style.css). However, relative URLs are supported because example.com/proxy will redirect to example.com/proxy/.
i did not test the backup/restore scripts
the exposed URL can be changed after setup, but not the backend URL

selfhoster1312 · January 8, 2023, 6:52pm

Beginner question but how do i give ownership of the repo to Yunohost-Apps as suggested by the linter?

EDIT: Received response on apps chatroom. Got invitation on Github. Transfered the repository.

Aleks · January 9, 2023, 12:49pm

What would be super awesome would be to have a “SNI-based reverse proxy” mode … though I don’t know if it could easily fit in the existing code or if we should have like a 'sni_based_reverse_proxy_ynh` instead

The current implementation (just like redirect_ynh) is mostly about reverse -proxying a single app through HTTP which is an important use case. But there is another use case which is to reverse proxy for example a YunoHost inside a YunoHost. Or more generally reverse-proxying an entire external server/domain through YunoHost (for example hosting multiple server at home behind a single IP). For this use case, the usual issue is about certificate : a) should the certificate be handled by the front ? b) Or the proxied server ? In the case of a), the issue is that the proxied server usually wants to handle the SSL layer (for example YunoHost is configured with HTTP->HTTPS redirect by default) so you have to disable it and it’s not practical for reasons. In the case of b) it’s not practical either, because the front server must have access to the certificate so it can’t be generated/renewed by the proxied server … or you gotta copy between the two machines somehow

The cool solution is SNI-based reverse proxy and uses the fact that in the HTTPS protocol, the target domain of the request is available as unencrypted data and can be use by a reverse-proxy to forward the traffic without having to decrypt the traffic, such that the proxied server can handle its the SSL layer / certificate on its own.

The corresponding module in nginx : Module ngx_stream_ssl_preread_module

It’s a bit more unusual compared to regular yunohost apps (even redirect_ynh) though

tituspijean · January 9, 2023, 8:24pm

The current NGINX helper would not be able to help us here, since it includes the configuration file in a server block. upstream directives can only be in a http block.

selfhoster1312 · January 13, 2023, 4:08pm

Great idea! I will do that next

I’ll probably make that a different app though, because i find it clunky to have a dropdown of “types” of configuration in the interface, then have specific config depending on the type.

I mean if there’s support for that in the UI and in the config parsing for options to depend on other options i’ll go for it, but i couldn’t find anything about this in the docs.