I LOVE the IPv6-only QUIC, because not only does it incentivize usage for faster negotiation, it allows active connection IDs to usually be grouped based on IP address with distinction from other clients on the same local network. This video was great!
Great content, i like despite the fact you are not a huge channel you've invested in good audio. Makes the videos so much more enjoyable. If you haven't done a video on caddy I'd like to learn more about it. If you have I'll find out on your channel 😊
I'm working on a Caddy video, planning on migrating my website from Linode object hosting to Caddy on a VPS and there will be a Caddy video when I transition.
You sir are a pleasure to listen to. Well structured explanations and im confident you know what youre talking about! (You've done this type of work IRL - i'm sure of it!) Happy to go on the adventures!! thank you for sharing with us! :)
During the pandemic we had to setup a reverse proxy for SSH servers and I ended up using HAProxy to do this. To make this not cause ssh host key fingerprint issues, I spawned a second ssh server on port 2022 with a separate sshd_config file to specify ssh host keys that identical across the systems. I did this also for xrdp and rdp sessions, but those are more forgiving of putting something in the middle.
I use HAProxy inside pfsense but this is a nice alternative. I also use ACME certificate feature which works well with HAProxy. I'm sure this can be done alongside with HAProxy on that VM.
If the backends can do TLS-ALPN-01 challenges, then the backend server can do ACME on its own. If it can't, you can use L7 forwarding on port 80 (some code for this on the blog post, it's similar to the L4) to let the backend server do its own HTTP-01 challenges.
@@apalrdsadventures Personally, I'm using DNS-01 challenges via cert-manager in my local k3s cluster. Is k3s/k8s something you have ever dabbled with or have an opinion on?
Kubernetes adds a layer of complexity that isn't necessary for most deployments (it's designed for *very* large scale systems). At smaller scale there are easier to manage solutions. At least Kubernetes does have good design for scalability, Docker networking is a total nightmare.
12:29 is your public IPv6 prefix static? I could only do that with ULA addresses. The others are jumping around because they keep getting reassigned by my ISP.
ISPs are supposed to keep them sticky for a given DHCPv6 PD client, as long as you keep renewing the DHCP lease on time. In my case, the prefix only changed when Comcast updated their routers in my area, other than that it's been fixed for years at a time.
Temporary addresses “jump around” as your computer/device creates them randomly at startup/connection. Permanent addresses are more fixed because they are either issued by a stateful dhcp server or generated using the MAC address of your device.
Great video as always! Thanks @apalrdsadventures. Question: What the changes I had to do if all the servers behind OPNSense firewall including the HAProxy server? Request: Can you do video on that please?
In IPv4 you'd port forward from OPNsense to the HAProxy server, and in IPv6 I'd create an alias with all of the v6 addresses and another with the ports (80/443) and allow those through the firewall.
Hello, congratulations for these nice videos. A video with HAProxy on an OpnSense firewall with Authelia in a Proxmox lxc container will be cool. I have some difficulties with it. I don't know/understand the correct configuration on both side. Thanks 👍
My IP-Camera supports only IPv4 (as most of them) and my ISP does not route a public IPv4 , instead I get a public IPv6 address with a mostly constant prefix. Can HAProxy be configured as a TCP Reverse Proxy so, when adding more cameras they will be from the internet distinguished by the port and reached by the IPv6 of the machine where HAProxy is installed. HAProxy is converting the packets from IPv6 to the internal Lan-IPv4 of the camera. If it works this way ,could you provide an example configuration?
Yes, you can do that. HAProxy is a full reverse proxy, it's just particularly good at TCP stuff compared to nginx or Caddy. If you are using TLS and can use SNI, you can use a single bind directive in HAProxy and use the same config as the example, but with IPv4s on the different backends. If you aren't using TLS, you probably should be, but also you can add as many IPv6s as you want to a single host, and create an HAProxy frontend for each address (instead of using different ports). From there, each frontend can go to a specific backend. You can also create multiple frontends on different ports of the same IP if that's what you like better. And HAProxy can also terminate TLS like nginx/Caddy, but Caddy would probably be easier to setup since it can handle certificate renewal automatically.
@@apalrdsadventures I am not deeply involved into this subject, but it is only intended to make a IP-Camera rtsp -Stream accessible over a public IPv6 address. And as clients on the internet you chose VLC or Kodi to render the Video-Stream. There is no additional security setup needed (TLS, Certificate) nor more than one domain per Server-IP (SNI). If you could provide an configuration example / Link?
RTSP also relies on RTP (over UDP) for data, so it's not as easy as just port-forwarding since it uses two different ports. You'll probably want a restreamer like go2rtc, which connects to the RTSP+RTP backend and separately exposes an RTSP+RTP frontend.
Do you have an opinion on Oracle Cloud always free tier Ampere hosting? I wonder why so many content creators use Linode when the free OCI offering could do the job.
Nice Video! I went ahead and switched my setup from a layer 7 proxy to a layer 4 proxy since I pretty much have the same setup. It works great until you host a service that is required to know the real client ip. When I access my service via ipv6 there is no problem at all. But when I use Ipv4 this changes. The service recognizes the IP from the reverse proxy. The only solution I found was using the proxy protocol. This however enforces you to go through a proxy which effectively disables ipv6 access. 😥
At least with Caddy's proxy protocol module, you can specify which CIDR range to expect proxy headers from, so if you set that to the IP of the L4 proxy, it will still work correctly for everyone else.
Good, but TLS is NOT L7, it goes up to 6, yes, but not L7. I use HAProxy with a selection based on SNI to go to the backend. (and even load balance it)
Great Video HOWever, PFSense free firewall Already has a package for HA Proxy to make it EASIER to manage instead of using cli :) in addition with managing DNS records! Keep it up! you make the best videos so far on the explanations 😁 I wonder what you use for a firewall
Normaly i like your Video's but those where you switching 12083121 times to the Camera and back makes me feel dizzy all the time. Why not using your front cam and PIP.
I love how deeply nerdy these videos are. Great content!!!
Totally agree, very well researched!!
Yeah they are super geeky! But often fill in some of the knowledge gaps on a particular topic that others don't mention. So I love them.
I LOVE the IPv6-only QUIC, because not only does it incentivize usage for faster negotiation, it allows active connection IDs to usually be grouped based on IP address with distinction from other clients on the same local network. This video was great!
Great content, i like despite the fact you are not a huge channel you've invested in good audio. Makes the videos so much more enjoyable. If you haven't done a video on caddy I'd like to learn more about it. If you have I'll find out on your channel 😊
I'm working on a Caddy video, planning on migrating my website from Linode object hosting to Caddy on a VPS and there will be a Caddy video when I transition.
Thanks!
Glad you like it!
You sir are a pleasure to listen to. Well structured explanations and im confident you know what youre talking about! (You've done this type of work IRL - i'm sure of it!) Happy to go on the adventures!! thank you for sharing with us! :)
Love your videos. Thanks for sharing your knowledge.
Thank you for this. Really enjoyed
Thanks for the demo and info, have a great day
12:30 Octet is 8, colon separation in ipv6 is every 16 bits so it’s a Hextet.
During the pandemic we had to setup a reverse proxy for SSH servers and I ended up using HAProxy to do this. To make this not cause ssh host key fingerprint issues, I spawned a second ssh server on port 2022 with a separate sshd_config file to specify ssh host keys that identical across the systems. I did this also for xrdp and rdp sessions, but those are more forgiving of putting something in the middle.
I use HAProxy inside pfsense but this is a nice alternative. I also use ACME certificate feature which works well with HAProxy. I'm sure this can be done alongside with HAProxy on that VM.
If the backends can do TLS-ALPN-01 challenges, then the backend server can do ACME on its own. If it can't, you can use L7 forwarding on port 80 (some code for this on the blog post, it's similar to the L4) to let the backend server do its own HTTP-01 challenges.
Same here. Pfsense in a VM, does all the magic.
@@apalrdsadventures Personally, I'm using DNS-01 challenges via cert-manager in my local k3s cluster. Is k3s/k8s something you have ever dabbled with or have an opinion on?
Kubernetes adds a layer of complexity that isn't necessary for most deployments (it's designed for *very* large scale systems). At smaller scale there are easier to manage solutions.
At least Kubernetes does have good design for scalability, Docker networking is a total nightmare.
HAProxy health checks with load balancing next, please!
12:29 is your public IPv6 prefix static? I could only do that with ULA addresses. The others are jumping around because they keep getting reassigned by my ISP.
ISPs are supposed to keep them sticky for a given DHCPv6 PD client, as long as you keep renewing the DHCP lease on time. In my case, the prefix only changed when Comcast updated their routers in my area, other than that it's been fixed for years at a time.
Temporary addresses “jump around” as your computer/device creates them randomly at startup/connection. Permanent addresses are more fixed because they are either issued by a stateful dhcp server or generated using the MAC address of your device.
Great video as always! Thanks @apalrdsadventures. Question: What the changes I had to do if all the servers behind OPNSense firewall including the HAProxy server? Request: Can you do video on that please?
In IPv4 you'd port forward from OPNsense to the HAProxy server, and in IPv6 I'd create an alias with all of the v6 addresses and another with the ports (80/443) and allow those through the firewall.
@@apalrdsadventures Thanks for the quick reply. I will try that in my setup
Hello, congratulations for these nice videos. A video with HAProxy on an OpnSense firewall with Authelia in a Proxmox lxc container will be cool. I have some difficulties with it.
I don't know/understand the correct configuration on both side.
Thanks 👍
My IP-Camera supports only IPv4 (as most of them) and my ISP does not route a public IPv4 , instead I get a public IPv6 address with a mostly constant prefix.
Can HAProxy be configured as a TCP Reverse Proxy so, when adding more cameras they will be from the internet distinguished by the port and reached by the IPv6 of the machine where HAProxy is installed. HAProxy is converting the packets from IPv6 to the internal Lan-IPv4 of the camera.
If it works this way ,could you provide an example configuration?
Yes, you can do that. HAProxy is a full reverse proxy, it's just particularly good at TCP stuff compared to nginx or Caddy.
If you are using TLS and can use SNI, you can use a single bind directive in HAProxy and use the same config as the example, but with IPv4s on the different backends.
If you aren't using TLS, you probably should be, but also you can add as many IPv6s as you want to a single host, and create an HAProxy frontend for each address (instead of using different ports). From there, each frontend can go to a specific backend. You can also create multiple frontends on different ports of the same IP if that's what you like better.
And HAProxy can also terminate TLS like nginx/Caddy, but Caddy would probably be easier to setup since it can handle certificate renewal automatically.
@@apalrdsadventures
I am not deeply involved into this subject, but it is only intended to make a IP-Camera rtsp -Stream accessible over a public IPv6 address. And as clients on the internet you chose VLC or Kodi to render the Video-Stream. There is no additional security setup needed (TLS, Certificate) nor more than one domain per Server-IP (SNI). If you could provide an configuration example / Link?
RTSP also relies on RTP (over UDP) for data, so it's not as easy as just port-forwarding since it uses two different ports. You'll probably want a restreamer like go2rtc, which connects to the RTSP+RTP backend and separately exposes an RTSP+RTP frontend.
Do you have an opinion on Oracle Cloud always free tier Ampere hosting? I wonder why so many content creators use Linode when the free OCI offering could do the job.
Probably a strong distrust of Oracle as a company
@@apalrdsadventures i hear ya, but its a lot of VPS for free
Can you make a demo of opnwaf and naxsi
Nice Video! I went ahead and switched my setup from a layer 7 proxy to a layer 4 proxy since I pretty much have the same setup.
It works great until you host a service that is required to know the real client ip. When I access my service via ipv6 there is no problem at all. But when I use Ipv4 this changes. The service recognizes the IP from the reverse proxy. The only solution I found was using the proxy protocol. This however enforces you to go through a proxy which effectively disables ipv6 access. 😥
At least with Caddy's proxy protocol module, you can specify which CIDR range to expect proxy headers from, so if you set that to the IP of the L4 proxy, it will still work correctly for everyone else.
why not try L3-DSR ? u can preserve the IP there !!!
Please fill the IP address for every node
All of this without even browsing to HAProxy's console/status page and simulating a backend failure and info which the service does during issues.
Good, but TLS is NOT L7, it goes up to 6, yes, but not L7. I use HAProxy with a selection based on SNI to go to the backend. (and even load balance it)
How comes nobody commented on the addresses ::feed and ::beef yet? 🤓
Great Video HOWever, PFSense free firewall Already has a package for HA Proxy to make it EASIER to manage instead of using cli :) in addition with managing DNS records! Keep it up! you make the best videos so far on the explanations 😁 I wonder what you use for a firewall
What about NGINX? HAProxy is a load balancer 1st that can do reverse proxying. NGINX is a reverse proxy 1st that can do load balancing.
HAProxy is particularly good at layer 4 stuff, which is what I'm doing. If I was doing a TLS-terminating proxy I would be using something else.
Nginx is a web server first.
Normaly i like your Video's but those where you switching 12083121 times to the Camera and back makes me feel dizzy all the time. Why not using your front cam and PIP.
HAProxy + Certbot =
I'm using Certmagic in Caddy on the backend server, so the certificate is only in one place