Is nginx reverse proxy correct for my use case ?

Liso

Say I have vps A and vps B that serve a different purpose, vps A would be the main server meanwhile vps B for backup/fallback purpose. I will be hosting a webapp on both.

I want to automatically redirect user to vps B in case vps A is unreachable, I'm thinking of purchasing a cheap vps with dedicated IPv4 to act as reverse proxy, so the reverse proxy will decide which vps will be used.

It seems nginx reverse proxy is suitable for my case, but I never worked with one before— what do you think ? Is there any better suggestion ?

My webapp doesn't get much traffic, probably only 300-400 visitor a day. So if I were to get a vps for reverse proxy, is 512MB ram enough?

varwww

Your profile pic reminds me of Woody from little fighter 2

noaman

@Liso said:
Say I have vps A and vps B that serve a different purpose, vps A would be the main server meanwhile vps B for backup/fallback purpose. I will be hosting a webapp on both.

I want to automatically redirect user to vps B in case vps A is unreachable, I'm thinking of purchasing a cheap vps with dedicated IPv4 to act as reverse proxy, so the reverse proxy will decide which vps will be used.

It seems nginx reverse proxy is suitable for my case, but I never worked with one before— what do you think ? Is there any better suggestion ?

My webapp doesn't get much traffic, probably only 300-400 visitor a day. So if I were to get a vps for reverse proxy, is 512MB ram enough?

You can use a HAPROXY or nginx load balancer.

You need to setup database replication setup too so that both VPS A and VPS B have synced up DBs.

You might want to use object storage to offload images and pictures

I think that should be sufficient to get you started.

I believe raindog had an article on Lowenendbox but it was related to WordPress

jmgcaguicla

You just moved your SPOF to the reverse proxy, and from the sound of it you're self hosting that as well, why even bother?

isunbejo

Cloudflare dns failover with API call to update the DNS record

NoComment

You can look at this: https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/

But you have a single point of failure, the vps that acts as nginx reverse proxy.

imgmoney

For your use case, it should be HAProxy. Mark your backup VPS as a backup in HAProxy config and it will fetch content from that only if the main server is down.

Dazzle

Use DNS failover, eg. https://www.cloudns.net/dns-failover/

FrankZ

@imgmoney said:
For your use case, it should be HAProxy. Mark your backup VPS as a backup in HAProxy config and it will fetch content from that only if the main server is down.

@Liso - ^ This would probably be best for what you described above.

If you were going to do database replication and load balancing a simple way to handle this would be to just have both IPs listed in duplicate A record in your DNS with a reasonably long TTL. The way I understand it, modern browsers will keep using the first IP the DNS serves them and only use the second IP if the first does not respond. Although the IPs will be served in a round robin fashion to different users so you would get primitive load balancing and have no single point of failure.

Liso

It's been 2 weeks since I started this thread, I have purchased new server and install haproxy on it, but still I haven't successfully setup a fully working proxy solution, it always return This site can't be reached.

Can anyone who's knowledgeable enough with haproxy guide me ? This is link to my problem if anyone got a clue → https://discourse.haproxy.org/t/difficulty-using-haproxy-with-apache2-virtualhost

@varwww said: Woody from little fighter 2

Yes it is ! Liso is an actual character name from little fighter 2 mods called Little Fighter Alpha, you should check it out.

Liso

@noaman said: You can use a HAPROXY or nginx load balancer.

You need to setup database replication setup too so that both VPS A and VPS B have synced up DBs.

I got the database and system replication covered, it's just haproxy simply doesn't work when it should.

ralf

@Liso said:
It's been 2 weeks since I started this thread, I have purchased new server and install haproxy on it, but still I haven't successfully setup a fully working proxy solution, it always return This site can't be reached.

Can anyone who's knowledgeable enough with haproxy guide me ? This is link to my problem if anyone got a clue → https://discourse.haproxy.org/t/difficulty-using-haproxy-with-apache2-virtualhost

Yeah, don't do the HTTP to HTTPS redirection on the backend server, do it in haproxy directly.

My HTTP frontend in haproxy starts like this:

listen http_front
  bind *:80
  bind *:443 ssl crt /etc/haproxy/certs/

  acl url_certbot path_beg /.well-known/
  http-request redirect scheme https if !{ ssl_fc } !url_certbot
  use_backend certbot if url_certbot

Briefly, this listens on both HTTP and HTTPS. Any requests for certbot are forwarded to another VM that runs certbot once a week and then copies the certifcates to all my haproxy VMs.

Any requests that are HTTP ( !{ssl_fc} ) and not certbot are redirected to retry using HTTPS.

If you do something like this, bear in mind that your traffic between haproxy and the real web servers isn't encrypted, so you probably want to set up a wireguard tunnel between these machines. I'd recommend this anyway, as then you can prevent people connecting directly to these servers without going through haproxy. Probably the only things that are trying to do this are web crawlers and port scanners.

For reference, the certbot side is done with this command line on the certbot VM:

certbot renew -q --standalone --http-01-port 8080 --preferred-challenges http-01

and this backend in all the haproxy instances that could answer a web request for those domains to forward to it:

backend certbot
  server certbot 192.168.x.x:8080

The other advantage of doing certbot like this to another VM is that you can have multiple haproxy instances serving the same domains but backed by different backends, and they all forward certbot to the same place.

Liso

@ralf said:

@Liso said:
It's been 2 weeks since I started this thread, I have purchased new server and install haproxy on it, but still I haven't successfully setup a fully working proxy solution, it always return This site can't be reached.

Can anyone who's knowledgeable enough with haproxy guide me ? This is link to my problem if anyone got a clue → https://discourse.haproxy.org/t/difficulty-using-haproxy-with-apache2-virtualhost

Yeah, don't do the HTTP to HTTPS redirection on the backend server, do it in haproxy directly.

My HTTP frontend in haproxy starts like this:

listen http_front
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/

acl url_certbot path_beg /.well-known/
http-request redirect scheme https if !{ ssl_fc } !url_certbot
use_backend certbot if url_certbot

Briefly, this listens on both HTTP and HTTPS. Any requests for certbot are forwarded to another VM that runs certbot once a week and then copies the certifcates to all my haproxy VMs.

Any requests that are HTTP ( !{ssl_fc} ) and not certbot are redirected to retry using HTTPS.

If you do something like this, bear in mind that your traffic between haproxy and the real web servers isn't encrypted, so you probably want to set up a wireguard tunnel between these machines. I'd recommend this anyway, as then you can prevent people connecting directly to these servers without going through haproxy. Probably the only things that are trying to do this are web crawlers and port scanners.

For reference, the certbot side is done with this command line on the certbot VM:

certbot renew -q --standalone --http-01-port 8080 --preferred-challenges http-01

and this backend in all the haproxy instances that could answer a web request for those domains to forward to it:

backend certbot
  server certbot 192.168.x.x:8080

The other advantage of doing certbot like this to another VM is that you can have multiple haproxy instances serving the same domains but backed by different backends, and they all forward certbot to the same place.

Then should I move my SSL certificate to haproxy server? Would that work

AXYZE

Its not what you need. Your solution will DECREASE your uptime.

Now you have one VPS. Only this can fail.
You want to add another layer of possible failure (load balancer). If it goes down then your site will be unreachable. So you are at the same point as before, but now theres extra 2 servers that can fail.

You should do it via DNS or via High Availibity VPS (but then maybe instead of load balancer just put main content into it). If you need HA VPS then search for provider which replicates your data across different machines/nodes/datacenters and points IP to correct one automatically.

Or do usual Cloudflare + point to two servers + do health checks by api + remove unhealthy IP. Free and just works.

ralf

@AXYZE said:
Its not what you need. Your solution will DECREASE your uptime.
Now you have one VPS. Only this can fail.

I can't tell if you're replying to my post or something else.

But I'm quite happy with my setup, I think it's actually similar to what you're later advocating, but I didn't mention it as it's not in the scope of answering his problem - which is that he has his HTTPS redirect in the wrong place.

I actually have multiple haproxy servers (currently 2, but plan more) than all serve the same domains and forward to the closest backend server but can fail over to the others.

I don't see how this decreases my uptime, I'd need all my haproxy instances and all my backend instances to fail. As they're all on different servers.

The reason for setting this up is to experiment with how I plan to host my stateless app. I'll have haproxy running in a VM on one host primarily forwarding to another VM on the same host but failing over to the other instances when it's overloaded. The clients can connect to any of the haproxy instances, but hopefully will pick the closest to them.

As for the certbot only having one instance, I'm fine with that. It only runs once a week, and they send out e-mail reminders a month before the cert needs renewing. If it's failed for any reason, I still have plenty of time to sort it out.

ralf

@Liso said:
Then should I move my SSL certificate to haproxy server? Would that work

Yeah. From my certbot host, I have something like this:

cat /etc/letsencrypt/live/xxx.com/fullchain.pem /etc/letsencrypt/live/xxx.com/privkey.pem >/root/xxx.pem

tar cf - xxx.pem yyy.pem zzz.pem | ssh root@haproxy1 /root/update-pem

And then on the haproxy instances I have this:

#!/bin/sh
mkdir -p /etc/haproxy/certs
tar -C /etc/haproxy/certs -x -f-
chown haproxy /etc/haproxy/certs/*.pem
chmod 600 /etc/haproxy/certs/*.pem
/etc/init.d/haproxy restart

Note that there will be downtime doing this haproxy restart whenever you change certs. I do them on different days, but a better way is to have two haproxy instances running on each machine and port forwarding to one while restarting the other. There are tutorials for this, but I haven't bothered yet.

AXYZE

@ralf said:

@AXYZE said:
Its not what you need. Your solution will DECREASE your uptime.
Now you have one VPS. Only this can fail.

I don't see how this decreases my uptime, I'd need all my haproxy instances and all my backend instances to fail. As they're all on different servers.

OP has single server. If it fails then website doesn't work.
If he adds another VPS for load balancing then if it fails then website doesn't work.
It doesn't improve uptime. If anything, it worsens it because now not only main/load balancer needs to work, now there's also backend servers.

It is not high availability. Its load balancing.

In order to get high availability you need two destinations for client. Not single one, because if its single and fails = website doesnt work.

I actually have multiple haproxy servers (currently 2, but plan more) than all serve the same domain

And thats exactly what you have done. TWO destinations for cleint. It doesnt matter if its haproxy or nginx backend.

One load balancer is one destination. It doesnt improve anything.

In OP case he can point directly to these two servers that he already has, less points of failure. HAProxy / nginx reverse proxy is not needed. Less points of failure. Two destinations for clients instead of one load balancer.

He can do it via Cloudflare DNS and remove unhealthy server via API. He wont pay a penny for it and it will actually improve his uptime.

Nekki

@AXYZE said:

In OP case he can directly to these two servers that he already has, less points of failure. HAProxy / nginx reverse proxy is not needed. Less points of failure. Two destinations for clients instead of one load balancer.

Bang on. Completely pointless to introduce another point of failure unless there’s another requirement as-yet unexplained.

He can do it via Cloudflare DNS and remove unhealthy server via API. He wont pay a penny for it and it will actually improve his uptime.

Don’t use Cloudflare kids, they’re evil! Pay a few quid a get a decent DNS service that can handle failover for you, like ClouDNS!

AXYZE

@Nekki said:
Pay a few quid a get a decent DNS service that can handle failover for you, like ClouDNS!

ClouCDN is also great proposition and health checks will be done automatically by them at cheap price ($2.95 / mo, Premium S plan)