I LOVE the IPv6-only QUIC, because not only does it incentivize usage for faster negotiation, it allows active connection IDs to usually be grouped based on IP address with distinction from other clients on the same local network. This video was great!
Great content, i like despite the fact you are not a huge channel you've invested in good audio. Makes the videos so much more enjoyable. If you haven't done a video on caddy I'd like to learn more about it. If you have I'll find out on your channel 😊
I'm working on a Caddy video, planning on migrating my website from Linode object hosting to Caddy on a VPS and there will be a Caddy video when I transition.
You sir are a pleasure to listen to. Well structured explanations and im confident you know what youre talking about! (You've done this type of work IRL - i'm sure of it!) Happy to go on the adventures!! thank you for sharing with us! :)
During the pandemic we had to setup a reverse proxy for SSH servers and I ended up using HAProxy to do this. To make this not cause ssh host key fingerprint issues, I spawned a second ssh server on port 2022 with a separate sshd_config file to specify ssh host keys that identical across the systems. I did this also for xrdp and rdp sessions, but those are more forgiving of putting something in the middle.
I use HAProxy inside pfsense but this is a nice alternative. I also use ACME certificate feature which works well with HAProxy. I'm sure this can be done alongside with HAProxy on that VM.
If the backends can do TLS-ALPN-01 challenges, then the backend server can do ACME on its own. If it can't, you can use L7 forwarding on port 80 (some code for this on the blog post, it's similar to the L4) to let the backend server do its own HTTP-01 challenges.
@@apalrdsadventures Personally, I'm using DNS-01 challenges via cert-manager in my local k3s cluster. Is k3s/k8s something you have ever dabbled with or have an opinion on?
Kubernetes adds a layer of complexity that isn't necessary for most deployments (it's designed for *very* large scale systems). At smaller scale there are easier to manage solutions. At least Kubernetes does have good design for scalability, Docker networking is a total nightmare.
Hello, congratulations for these nice videos. A video with HAProxy on an OpnSense firewall with Authelia in a Proxmox lxc container will be cool. I have some difficulties with it. I don't know/understand the correct configuration on both side. Thanks 👍
Great video as always! Thanks @apalrdsadventures. Question: What the changes I had to do if all the servers behind OPNSense firewall including the HAProxy server? Request: Can you do video on that please?
In IPv4 you'd port forward from OPNsense to the HAProxy server, and in IPv6 I'd create an alias with all of the v6 addresses and another with the ports (80/443) and allow those through the firewall.
Nice Video! I went ahead and switched my setup from a layer 7 proxy to a layer 4 proxy since I pretty much have the same setup. It works great until you host a service that is required to know the real client ip. When I access my service via ipv6 there is no problem at all. But when I use Ipv4 this changes. The service recognizes the IP from the reverse proxy. The only solution I found was using the proxy protocol. This however enforces you to go through a proxy which effectively disables ipv6 access. 😥
At least with Caddy's proxy protocol module, you can specify which CIDR range to expect proxy headers from, so if you set that to the IP of the L4 proxy, it will still work correctly for everyone else.
Great Video HOWever, PFSense free firewall Already has a package for HA Proxy to make it EASIER to manage instead of using cli :) in addition with managing DNS records! Keep it up! you make the best videos so far on the explanations 😁 I wonder what you use for a firewall
Good, but TLS is NOT L7, it goes up to 6, yes, but not L7. I use HAProxy with a selection based on SNI to go to the backend. (and even load balance it)
Do you have an opinion on Oracle Cloud always free tier Ampere hosting? I wonder why so many content creators use Linode when the free OCI offering could do the job.
12:29 is your public IPv6 prefix static? I could only do that with ULA addresses. The others are jumping around because they keep getting reassigned by my ISP.
ISPs are supposed to keep them sticky for a given DHCPv6 PD client, as long as you keep renewing the DHCP lease on time. In my case, the prefix only changed when Comcast updated their routers in my area, other than that it's been fixed for years at a time.
Temporary addresses “jump around” as your computer/device creates them randomly at startup/connection. Permanent addresses are more fixed because they are either issued by a stateful dhcp server or generated using the MAC address of your device.
Normaly i like your Video's but those where you switching 12083121 times to the Camera and back makes me feel dizzy all the time. Why not using your front cam and PIP.
I love how deeply nerdy these videos are. Great content!!!
Totally agree, very well researched!!
Yeah they are super geeky! But often fill in some of the knowledge gaps on a particular topic that others don't mention. So I love them.
I LOVE the IPv6-only QUIC, because not only does it incentivize usage for faster negotiation, it allows active connection IDs to usually be grouped based on IP address with distinction from other clients on the same local network. This video was great!
Great content, i like despite the fact you are not a huge channel you've invested in good audio. Makes the videos so much more enjoyable. If you haven't done a video on caddy I'd like to learn more about it. If you have I'll find out on your channel 😊
I'm working on a Caddy video, planning on migrating my website from Linode object hosting to Caddy on a VPS and there will be a Caddy video when I transition.
You sir are a pleasure to listen to. Well structured explanations and im confident you know what youre talking about! (You've done this type of work IRL - i'm sure of it!) Happy to go on the adventures!! thank you for sharing with us! :)
Thank you for this. Really enjoyed
Thanks for the demo and info, have a great day
Thanks!
Glad you like it!
During the pandemic we had to setup a reverse proxy for SSH servers and I ended up using HAProxy to do this. To make this not cause ssh host key fingerprint issues, I spawned a second ssh server on port 2022 with a separate sshd_config file to specify ssh host keys that identical across the systems. I did this also for xrdp and rdp sessions, but those are more forgiving of putting something in the middle.
12:30 Octet is 8, colon separation in ipv6 is every 16 bits so it’s a Hextet.
I use HAProxy inside pfsense but this is a nice alternative. I also use ACME certificate feature which works well with HAProxy. I'm sure this can be done alongside with HAProxy on that VM.
If the backends can do TLS-ALPN-01 challenges, then the backend server can do ACME on its own. If it can't, you can use L7 forwarding on port 80 (some code for this on the blog post, it's similar to the L4) to let the backend server do its own HTTP-01 challenges.
Same here. Pfsense in a VM, does all the magic.
@@apalrdsadventures Personally, I'm using DNS-01 challenges via cert-manager in my local k3s cluster. Is k3s/k8s something you have ever dabbled with or have an opinion on?
Kubernetes adds a layer of complexity that isn't necessary for most deployments (it's designed for *very* large scale systems). At smaller scale there are easier to manage solutions.
At least Kubernetes does have good design for scalability, Docker networking is a total nightmare.
Hello, congratulations for these nice videos. A video with HAProxy on an OpnSense firewall with Authelia in a Proxmox lxc container will be cool. I have some difficulties with it.
I don't know/understand the correct configuration on both side.
Thanks 👍
HAProxy health checks with load balancing next, please!
Great video as always! Thanks @apalrdsadventures. Question: What the changes I had to do if all the servers behind OPNSense firewall including the HAProxy server? Request: Can you do video on that please?
In IPv4 you'd port forward from OPNsense to the HAProxy server, and in IPv6 I'd create an alias with all of the v6 addresses and another with the ports (80/443) and allow those through the firewall.
@@apalrdsadventures Thanks for the quick reply. I will try that in my setup
Nice Video! I went ahead and switched my setup from a layer 7 proxy to a layer 4 proxy since I pretty much have the same setup.
It works great until you host a service that is required to know the real client ip. When I access my service via ipv6 there is no problem at all. But when I use Ipv4 this changes. The service recognizes the IP from the reverse proxy. The only solution I found was using the proxy protocol. This however enforces you to go through a proxy which effectively disables ipv6 access. 😥
At least with Caddy's proxy protocol module, you can specify which CIDR range to expect proxy headers from, so if you set that to the IP of the L4 proxy, it will still work correctly for everyone else.
why not try L3-DSR ? u can preserve the IP there !!!
Great Video HOWever, PFSense free firewall Already has a package for HA Proxy to make it EASIER to manage instead of using cli :) in addition with managing DNS records! Keep it up! you make the best videos so far on the explanations 😁 I wonder what you use for a firewall
Good, but TLS is NOT L7, it goes up to 6, yes, but not L7. I use HAProxy with a selection based on SNI to go to the backend. (and even load balance it)
Do you have an opinion on Oracle Cloud always free tier Ampere hosting? I wonder why so many content creators use Linode when the free OCI offering could do the job.
Probably a strong distrust of Oracle as a company
@@apalrdsadventures i hear ya, but its a lot of VPS for free
12:29 is your public IPv6 prefix static? I could only do that with ULA addresses. The others are jumping around because they keep getting reassigned by my ISP.
ISPs are supposed to keep them sticky for a given DHCPv6 PD client, as long as you keep renewing the DHCP lease on time. In my case, the prefix only changed when Comcast updated their routers in my area, other than that it's been fixed for years at a time.
Temporary addresses “jump around” as your computer/device creates them randomly at startup/connection. Permanent addresses are more fixed because they are either issued by a stateful dhcp server or generated using the MAC address of your device.
Can you make a demo of opnwaf and naxsi
All of this without even browsing to HAProxy's console/status page and simulating a backend failure and info which the service does during issues.
How comes nobody commented on the addresses ::feed and ::beef yet? 🤓
What about NGINX? HAProxy is a load balancer 1st that can do reverse proxying. NGINX is a reverse proxy 1st that can do load balancing.
HAProxy is particularly good at layer 4 stuff, which is what I'm doing. If I was doing a TLS-terminating proxy I would be using something else.
Nginx is a web server first.
Normaly i like your Video's but those where you switching 12083121 times to the Camera and back makes me feel dizzy all the time. Why not using your front cam and PIP.
HAProxy + Certbot =
I'm using Certmagic in Caddy on the backend server, so the certificate is only in one place