HAProxy Crash Course (TLS 1.3, HTTPS, HTTP/2 and more)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

a chair proxy is a free open-source software written in C that provides high availability layer 4 and layer 7 load balancing and proxy it has a reputation for being fast and efficient in terms processor and memory usage and this video I want to go through the following it's gonna be a long video I have so much good stuff for you guys in this course right I want to go through first the gist of how we do things today like the current architecture and the desired architecture of things like how do you how would you solve load balancing right then I'm gonna go through the proxy architecture talk about key concept and component that is a proxy have and as I am talking you're gonna start seeing timecode so you can jump in the interesting bit part of the video guys we're gonna show how each a proxy can act as a TCP proxy an HTTP proxy or a layer 4 proxy or layer 7 proxy which acts both as a TCP layer or as an application layer like HTTP and a TCP layer like databases for example right and we're gonna show this cool concept called ACL access control lists right but I talked about a little bit about the TLS and termination versus TLS pass-through because I found this very fascinating in H a proxy right and finally we're gonna go through an example which is more the most interesting part we're gonna install a a proxy I'm gonna do a little bit of basic configuration we're gonna enable HTTPS an iShare proxy goes back where we like like to take it up a notch a little bit ok I'm gonna use let's encrypt I'm gonna use a no IP which is like a free thing right you can do this today you don't have to buy anything you can do everything on your Mac I'm gonna do everything on my Mac I'm not gonna do a cloud architecture or anything everything all the examples is on my Mac right if you have Windows it also works too ok then final I'm gonna enable HTTP to initiate proxy which is something you can do but it's not very clear out there people tell you that oh a checkbox it doesn't support HTTP - no that's not true right the latest version of it a proxy actually do that which is version I think I'm gonna use - oh right but yeah finally I'm gonna summarize the whole thing if you're interested stay tuned Fuhrer here welcome my name is Hussein and this channel will discuss all sorts of software engineering by example so if we're gonna become a better software engineer consider subscribing and hit that like and so you get notified every time I upload a new video with that said let's just jump into a chair proxy guys alright so here's the current lecture architecture right before any load balancing or anything you have a beautiful application here right it's probably running you just pure vanilla HTTP maybe an arrest API that you built on Express or Django whatever right and that is hitting a database on the back end could be post Chris could be MongoDB it could be anything else right and then you have your clients and you give them this ugly URL that has a port in it and you say okay I want to get the employees right let me do that I don't you noticed what happened is we can hit the server and then that server heads the database right and then you will get the server responds with a representation of the database results which is usually arrests that's what the representation stands for usually this is Jason you get back to Jason and you ask another question proof proof hit the database right get back the result if you hit it again same thing right that's the current architecture we all know it right problem is like we have one central point of failure where this the server is overloaded with all these beautiful requests right what do we do here's what we want to do we spin up multiple servers with your application that's very easy recently and we have showed how to spin up multiple version of your application in different ports using docker just like literally just spin up another thing and you have a version of your application a copy that's amazing guys right I'm gonna reference the video that how we did that right because we're gonna use that ok so we have now version of your application running three three thousand one three one two or three thousand and three and they are exactly the same they're hurting the same exact database right and you put a proxy on top of this thing okay then share proxy have two pieces of components the backend which you configure says hey it's a proxy I have these three servers on the backend 0 0 one two and three okay I want you to load balance these things and you have you can you have no idea how much configuration you can do on the backing guys it's amazing what we want to do in the backend is this I'm connect communicating on vanilla and interrupted HTTP but on the front end that's what's callin front end I want to listen on port 443 I wanted this to be secure I want this to be certificates and all that jazz right and I won't use h2 because why not because we're fancy like that okay and you if you want to make a request now look what happened right you ain't gonna apply your request you make a request it goes to this server right and you get back to the presentation if you make another request goes to the other server right if you make another request it goes to the server and this algorithm is called round robin and we're gonna show how we can change the algorithm which is pretty cool - guys alright so that's what we desire that's what we're gonna build here okay there won't be no databases that work uh but you get the idea should be very very simple and straight forward application okay let's just jump into it okay so as we said this is the front end this this part is the front end right and this part is called the back end try this and this is very key in a nature program pretty much all all proxies have this concept there's a back end anything behind you there's a phone in anything on the front of the edge a proxy or the proxy right AJ proxy architecture let's talk about least a little bit of things right so there is a concept of a front-end and we're gonna talk about some configuration that are very specific to H a proxy here okay so in front-end anything in the front or a proxy usually this is where the HF proxy listens to which ports of HT a proxy listens to a I'm listening to port 80 for example or 443 and clients communicate with that front end essentially okay and when they communicate with that front end right that's where the HT a proxy exposes these ports right and there is some of the configuration that you can do on the front there's a timeout client let's talk about that one right because we're gonna use all of these and our computation when we get to the example name the time of coins is like how long how long do you want me to wait before I can disconnect the client if it's not doing anything right because when you in the client like a mobile phone connects to a shared proxy right establish a TCP connection right and when you do that it's a stateful TCP connection that is alive let's living right and when when you do that usually this is memory consumption right imagine you have 10,000 of those right so timeout client will allow actually a proxy to disconnect that TCP connection if the client is not is idle it's not doing anything it's like hey if the court didn't do anything in one minute kill it that client is dead for me right very useful timeout that's why you have to specify these timer so that's front end because remember front end the clients connect to me the front end the bind which probably I should have mentioned this first the point is which port on which IP and which interface are you listening to right on on the front and in the share proxy hey I'm listening to port 80 hey I'm listening to port 443 so all the clients connect to port 80 or 443 right 443 for HTTPS 84 in fake yourself a CEO that you can do here and you can I don't believe you can do a CL on the backend right might be wrong but on the front end you can do hey access control list right I mean hey if the client is going through a slash admin I don't want it to go through that path right or throw in if the page does is no fun throw a pager 404 okay something like that so you want to do some conditionals when your font ends like hey if this this clients coming from this country block this guy right I don't want anyone accessing from this country right this content let's say you're building Netflix and this particular slash I don't know the morning show and more show it's not a Netflix it's an Apple TV but sure yeah so you you don't want anyone from Asia to access them morning show right you want only from America you can do this from front end with AC else I'm something like that okay back end anything behind the proxy and usually you can do sake this is a logical back and I'm gonna create a backing called everything all my notes right and you can you can specify multiple servers on the back and I've forgot the actual most importantly which is the server property okay the server properly tells you how many so what is the server that is in the backend right and this is a beauty of this you can specify server one server to server three and you can start doing balance and all that jazz right on the back end so a front and also connects always to a back and you have to specify which back and you want me to connect to right and this become more this wall I'm going to become more clear as we go through guys right so essentially if I specify a front end I I can specify a default backing like hey anything connect to always this back end right but you can't specify it back in with with a set of servers like server one server so server three right running application one right and server to server like nine eight eight nine ten running application to and that's another back-end you can enter it to create two backends room and you can say hey if the user doing an ACL /a app one is trying to access app one take them to this back-end if they're trying to extra step to take this back and we're going to show that an example guys okay and what kind of properties you can do in the backend you can you cannot bind to anything because you're not really listening right so you're just basically forwarding stuff to the backend right so you can specify the server time out connect right this is a very important thing you are in the backend now rise so the H a proxy is connecting to your back-end servers these express this Django servers okay and when they try to connect when it's a process to be nice to connect how long do you want it a proxy to wait before it gave this up connecting because it's connecting right it's a client edge a proxy is now a client trying to connect your back-end do you want to just wait forever bad idea right so you want this to be as minimal as possible so like hey naked it's like in 300-millisecond if you couldn't connect colette this server is probably did write this backends probably dead okay use another one another one did you thought it time out server okay here's an interesting one right so if you're connecting in the back end you're having like a this back in application running on port 7777 and this is a huge application that i mean if you make a request to this application it's gonna take a long time right I don't know it's crunching some machine learning stuff right and it's doing some training if you do that you're synchronously waiting so the back end how long do you want each a proxy to wait for a response from that back end from back-end server do you want me to wait for 10 seconds 30 seconds 1 minute 1 hour ok that's a probably good idea to specify these numbers but you might say no who say this back-end should take 30 milliseconds to execute this application if it's taking more than 30 I want to know I want to timeout right I want the chip proxy to kill that connection because that is bad right that application app to for example supposed to query and immediately give me the results right if it's taking a long time I want to know about I wanted to log that tells me that hey timeout please so all this nice configuration guys and bands we're gonna have multiple servers are playing with right in a given back-end how do you want me to balance them right default if you don't specify that that's round-robin round-robin you guys like one two three one two three three one two three one two three three chandelier okay Ron Roberts like a one two three one two three just like literally just like jumps you want a server to another so yeah that's what it does right so round-robin very simple stuff default stuff you can always use it you can also rely on leased connection we talked about these TCP full state full connections right they are both on the client and on the server how do you want me to connect to these things as you start connecting and stuff the stateful connection you can tell H a proxy to say hey you know what I want to connect to the least do the connection to the server with the least amount of TCP connections that it has right and you might see how though how our forward using round-robin then isn't isn't isn't that it's gonna be balanced known really because some requests gonna take more time than other requests and some requests will will stay alive longer so you want to hit another server that has been least number of connections right and obviously there's another thing called sources like that means it's just if you make a request right you want to all go to a specific server and that's called a sticky sticky session essentially right if you're coming from this IP the HF proxy takes the hash of this IP and then there's a consistent hashing and hits one of the server and every time every request comes from that IP address it's gonna always go to that server right and some people like that I personally think it's a bad idea all right just stick to a server but sometimes you really need to write to do that like okay all my stuff my application is a stateful application right the moment I put stuff on the server on the memory of the server I expect it to be there so I'm bad like that right I'm doing it for my own reason just please connect me all this to that machine right so that's the source algorithm okay HF processor architecture let's continue multiple front end you can have multiple front ends you can have multiple backends and this is it I really there's a really good use case I'm not gonna go through in this video but there is use cases where you can't put actually multiple front ends listening on a different port right and varnish is actually a one example of this right you can have you can have a proxy listening on port 443 as a front end call it HTTP only for example and then put another front end listening on port 80 right that's the vanilla and encrypted one okay and you can have varnish which is a reverse proxy connect to the H a proxy unencrypted one because varnish only ports HTTP backends its unencrypted in the free version that in the pro version varnish actually said the HTTP accelerator supports SSL backends so you can have varnish connects to the HTTP front-end in bash a proxy which is allowed right and then you can have h a proxy forward all the requests from the HTTP unencrypted fronting to the secure encrypted back-end which turns around and connect to the HTTP h a proxy front end because it's just it's like loops in zone itself and then you can just can communicate and resume the connection and encrypted yeah yeah a frontal can bind to one or more ports that's totally normal okay and you can have two front ends point to do two different ports as well okay a frontal connects to a back-end right always although at the time right and you can have two two fronting as we explained right you can have front-end lessons or port 80 and that forwards to an HTTP back-end right and that HTTP back and is actually nothing but the H a proxy itself right so will connect to itself and we'll OH finally I have I don't have a frontal collision T TPS on board for for later so let me connect to that and then it will just resume that connection let's talk about modes a little bit TCP and HTTP moods right so H aprox is one of those fewer proxy that actually supports layer 4 and layer 7 proxying what the heck does that mean it means that when when you play at the TCP layer you have very few things to work with you have the IP address you can see the IP address and you can see the port and that's said you cannot see anything else you can see the IP address you're coming from you can see IP address you're going to that's pretty much it you cannot see the content you cannot trust looking at the packets because they do not make any sense at that layer ok layer 4 right there you cannot see you cannot do rerouting you cannot do hitter rewrites any of that stuff right and there's a benefits of doing that there's cons of doing that as well so that's the word the layer 7 layer 4 TCP proxy right layer 7 which is the HTTP proxy works at the layer 7 that means it can actually well it can look at the data you can see oh you're going to actually slash search slash this right or such slash a porn slash app - you're going to that thing oh I can read this stuff right so you can do some very clever maneuvering especially with microservices layer 7 proxies almost a must right but it is the bad thing about layer 7 proxy right layer 7 has to look at the data to look at the data if you are using TLS you got to decrypt that name ok and if you're decrypting that means you're terminating the TLS that means your proxy is looking through your data maybe you're ok with that but you just just so you know the H a proxy layer engine X pretty much caddy I think all of those stuff look through your data yeah so if you don't if you don't trust your proxy for some reason and you only you haven't back and that is secure ok and that has a certificate and you just want the proxy to actually do a load load balancing and a round robin right and you don't want it to look you don't want to reroute doing around any of that stuff use a layer 4 proxy because it will do SSL pass through I'm gonna talk about that right it will not terminate the TLS right so you can play with TCP and HTTP I'm going to talk about that in examples access control is conditionals that applies to the to reroute the traffic hey if you're going to this endpoint I want you for example to block that right if you don't want to know it to admin through a proxy they are not allowed to go to this endpoint I just want to block them hedeman access has to go through the server correctly for example yeah you just want to make my own rules you can start following all these beautiful rules guys if you're going to app 1 slash up 1 go to this back-end if you're going to this to app to go to this back into these servers right you can do so much clearer stuff ACL can also be applied at the node just as a HTTP module which is layer 7 you can apply to the layer 4 mode you might say we're saying if I'm a layer 4 I don't see any data why is this useful well you can do some basic stuff you know like hey I can look at the IP at least that's useful people coming from Asia I want them to go to this back-end which is all servers going in the Asia right it's old Asian I don't know in Singapore somewhere right and if someone coming from America I want the backend to go through I don't know these servers that are in in North Virginia ok and so on so it's really cool for microSD atavism so a little bit about TLS termination TLS pass-through very powerful concepts right to do TLS termination sometimes very useful right and the front end is TLS the back end is HTTP right how the heck can you communicate to the HTTP if you're HTTPS that's impossible right you gotta terminate the TLS and finish the communication in a pure unencrypted way because your back-end is unsecure right sometimes this is a bad idea but this is what can happen right the automation is is a necessary evil you need to terminate the TLS because I need to look right because what I need to do is I need to look at your data I need to look at your headers I need sometimes to rewrite your head is like varnish right I need to cash right if you want me to cash don't you if you don't want me to cash I can't I can I have to look at your data right and here's the thing it requires certification because you want to terminate the TLS that's your final destination as a client the client connect to hae proxy and 8 to minutes the TLS is yo that's me I'm the same old J right you connect to me here's your certificate son that's me I don't talk to the backend server ten minutes talk to me and then if your trusted obviously most of the time which the layer this layer of proxying is trusted so you're going to talk to it and then and then essentially communicate with a client and then you trust it and you continue all right and then how about TLS pass through I don't trust my load balancer I don't want I want I don't I want my back-end servers already HTTPS why should I terminate and I don't want a cool caching I'm doing enough caching on the backend please you are dumb proxy just forward my package and shut up okay that's when we want to use TLS pass-through which is the mode that's called tcp mode right so the my back in this TLS and the chair proxy just proxies the packets directly write the voltage proxies the packet it creates a single into end TCP connection so even the handshake happens in two end and the proxy just say just forwards the connections immediately okay and this becomes kind of a sticky thing right not really cold sticky but if I'm connecting if I'm at the layer four I better forward everything I create an app table essentially it's I know it's very primitive way of describing it but a network address translation and the a proxy level one implementation at least I don't know what's the internal implementation but I think this is one of them you can create a an IP a table says hey this IP address goes to the server just like the router does right this IP address goes to this server these ideas do from this port goes to this IP address to this port so internal port is really important here as well there's no caching dah friggin da L for a CL only so you can play with the IP that's pretty much it it's more secure because well I'm gonna looking at your data right it's your proxy in this case also doesn't need a certificate which is beautiful so if you back in server has HTTPS we only need that thing the back end and end certification we I don't need to put a certification on my a proxy but in our example we're going to use the termination finally the cool part it's a proxy installation let's go through this and guys right when I install a proxy right I'm gonna use Mac for this so I'm gonna use brew which is this thing that install stuff right you can pretty much do the same tutorial with with with a bun to Raspberry Pi or anything like that right just as if the only difference really is just the installation of that stuff right install it a proxy then we're gonna do a simple front end on port 80 right and then we're gonna have time back end with many servers because I have I have spin up on multiple application spend multiple lightweight applications that I've created that just do simple stuff and then we're getting round-robin through them we're gonna do a conditional app one app to forgot to app one I'm going to go to this set of servers if the user goes to app - we're gonna go to this user servers we're gonna prevent admin access going to show you how to do that and almost there we're gonna do is GPS right we're going to show how to do enable HTTPS when I share proxy I'm gonna use let's encrypt for that beautiful beautiful certificate of authority for free we can also use obviously and no IP comm to get UPS like a bogus DNS right because I'm gonna connect it to my Mac right and why we're gonna go an HTTP - we're gonna enable HTTP - that's just some pin to it alright guys what do we want to do first first of all I'm gonna spin up let's say for applications that I've written before I'm not gonna go through the process because I've done it I'm gonna reference the video here you can go check it out but essentially I have a docker image that I created with an application that listens on certain port I'm gonna spin up for applications of those then we're going to spin them on different ports so how about we do that so we're gonna do docker run - P and the first application I'm gonna run it on port - - - you write the application servers running on port nine nine nine nine okay but the exposed port is actually two - two - okay and I wanna make it be touched and environment variable so we can know what application is this I'm gonna call it 2 2 2 2 so we can know right and then call North Apple and then spin it up we have one application let's spin up application 3 3 3 3 right on 3 3 3 3 let's do 4 4 4 4 almost there these are just literally Express applications listening on certain ports and just app one I'm gonna show you that now in a second right so I have four application let's go to the browser and show it to you so 2 2 2 2 3 3 3 4 4 4 5 5 5 and it's all running on my machine to darker instances right on Hussein Mac which is localhost right so if I go to the browser and say localhost 2 2 2 2 you can say that this is the application localhost to to to to app ID to to to to homepage say hello right if I do slash app 1 there is an application on that called app 1 says hey app 1 hey hello it's very simple right if I do app - it says app to page and finally admin right and the admin page I said just like replayed like hey very few people should see this very simple thing so if I do 3 3 3 3 app on same thing if I do 4 4 4 4 same thing 5 5 5 5 it just tells me the application number is very simple and I deliberately printed out the application so I can know which application I'm hearing ok it's boring right it's very boring I'm not gonna give you my users these ports right it's very ugly so what do we do what we do guys is we spin up actually a proxy we start balancing those stuff let's get into it so go to the terminal let's install a chair proxy very simple to do in Mac you do brew if you don't have brew just installed on your Mac very simple once you have that you do a brew install each a proxy ok as simple as that and in a bun - it's I think abt get the check box right and once you have it you have it I have ads of making on this video is version 2 o 10 pretty good enough right it works now I have a chat proxy what I need to do it's a proxy doesn't run without configuration you have to configure SCIM something ok let's create a configuration folder that's going to create a folder here called make directory I'm going to call it proxy right clear so I have a folder called proxy and I'm gonna create a test dot CFG file ok I'm using them for that but you can use vs code you can use any your favorite editor ok here's what we need to do guys remember remember what we have what is what matters with a CH a proxy there's a front end and a back end guys if you have watched some actual proxies I will read the document there are also default and global I'm not going to explain that because I found them confusing game because it just muddies the water let's understand what we actually need then introduce other stuff as we need them default and global and all that stuff and listen right front end which listens to a port that's what matters let's do that I'm gonna create front-end called I know HTTP 80 you can name it anything you want nor do you do that the first parameter you want to do is actually bind what are you listening on this front end so your consumers can connect you well I'm listening to port 80 because that's my vanilla port frame so you can do either 0 0 0 0 2 0 2 0 0 verb 80 okay which means listen to all the interfaces that you have in neural network we can just do this store whatever it's easy right sometimes your your application especially in the cloud you will have multiple network interfaces as you have multiple network cards right and you want to know which network are you referring to I have just the one so I'm gonna say Oh listening to this right what's the next thing remember guys there is a time out very important in the client it's called time out very simple it's called client because the time out here the client I want to disconnect the client if they don't communicate with me in 60 seconds right that's what it means very simple stuff right cool that's the front airport let's build one back end back end if you can read I think you can read by MJ zoom in just in case I'm gonna create a back-end called all servers this well this will literally have all my servers and my servers are called server I'm going to create a server one server two two two two and that's why we're is my server server two two two two it is 127.0.0.1 because it's the running a semi machine and it's running on port two two two two remember guys that's my application that we just execute you can either use localhost or 127.0.0.1 two seven zero zero two sorry server server four four four four 127.0.0.1 four four four four and finally server five five five five one two seven zero zero one five five five five cool we have something missing here bunch of things actually game what how many times do we have back-end we have two timeouts timeout how how much do you want me to wait before I give up connecting to the server for the backend servers all these guys for the first time so if I am attempt to this time how long how long do you want me to wait I mean 10 seconds is really a lot but let's say just 10 seconds if the back end doesn't respond within 10 seconds give up guys ok and then timeout server if I'm communicating with the back end and I made a request how long do you want me to wait before I give up right say I made a request to server 333 on app one an app one was taking a long time to to respond I would say like I don't know 100 seconds just kill the server right you can see that this is a very general timeout right as you make your back and specialized right you can make backends for application one which you know it takes more time you can have more better and more timeouts and back and one for application one which you know is like very fast it could be like hey this has to be like text one second or two seconds it's more than 2 seconds probably is very slow right and guys I'm talking in seconds this probably should be way less right if you think about it alright the final piece I think I miss anything is the fronton has nothing to do with the backend how do I connect them default default back-end what's the default back-end for this front end the default backin is all servers and that's that let's save escape the value Q right how do I run let's see hopefully I don't have any errors eh a proxy because we installed it we can do that - f what configuration do you want to consume test CFG and it looks like I don't have any errors how about we go and test this thing localhost 80 or just nothing I do localhost 81 served by the node to to lose you and if i refresh I hit the second one but look at that guy's this is not the round robin you Hossein you promise that round robin this is not round robin i'm stuck to port three or four I'm stuck to some know is why is it like that very good question right we're gonna come to that because the default mode of communication is TCP we're using a cheap proxy as a layer for a proxy as a layer for proxy that means the moment the browser communicate with the H a proxy it says hey this is a chip this is a layer four so it will for me to one of the back ends and we'll create a stateful TCP connection that's the browser right the browser is creating a TCP because assuming HTTP use TCP the underlying TCP is now connected and it's alive because the browser wants to keep connections as alive as possible right so when you do that the next request the browser is not gonna create another connection it's gonna just use the same connection which is has been established to a certain back-end server so that's why you always sometimes when you refresh sometimes you see it sometimes we don't because the browser has six connections to work with this is something we talked to you about right as I we see it's sometimes confusing here but if you go to telnet right you see this very clear right let's go to telnet browser and let's do this telnet it's clear I'm gonna do telling it and I'm gonna connect to 127.0.0.1 on port 80 right and I'm connected I am connected already because this is an HTTP server I'm gonna do a get right why do I get see where again we got three three three three immediately right if I do it again I do I get I get four four four four if I do it again I don't get I get five five five five this time it's actually round-robin II right it is actually a round row because every telnet is actually a new TCP socket created right that's why it's it's it's a it's round opening ranga ranga Rosie look at that cool stuff now we know this is a tcp might as well we don't want to reuse tcp how about I want to use I want to use HTTP mode how do you do this to me more very simple we say that sir the mode is HTTP right if you don't specify the mode the mode it becomes TCP by default okay my mode is HTTP right and here my models also has to match guys you don't want to mix mode that's bad right especially I mean you can have mixed mode if your front end and back and have the same mode right but you don't have the front and connects the back in with different modes that's just the recipe for the desk disaster I have no idea what will happen okay let's run it now I was listening then boo refresh now it's more like it it's round-robin now you know why guys because the teal the final destination here is actually a Shia proxy browser connects to a proxy says hey connect to me that's one connection to the TCP connection ends at their proxy and it says please send me this request and the proxy in the HT a proxy house now to have have the ability to to funnel and and load balance because it owns their stuff right so once the receiver of course this isn't a new request every request is a new request to it because it's triste it treats it as a stateless as possible unlike the tcp the tcp more releases are almost stateful it just creates a table NAT and then forwards it to the always do the same back end here no it's using the actual round-robin so like every time i refresh every request goes to that or a proxy - a proxy funnels it to the backend which is amazing guys all right isn't that amazing all right so we did that we did that HTTP we did the layer seven proxying layer seven proxying we did the layer four proxying right how about we do this how about we actually create two backends one back-end for application one and one back-end for application - so that if an application one some one user want to go to the application one right what will happen is I want to always go to I don't know these two applications - 2 - 2 or 3 33 will be a responsible application one these guys will be a responsible application - how do I do that if I today if I do application one localhost app one oh I just told the server that's running again if I do that it's still round row burning on all of the servers I don't want that application one I want just 2 2 2 & 3 3 3 okay how do I do that application - obviously it's doing the same thing it's just round draw burning on everything okay I don't want that so what I want to do I want to create two backends back-end app 1 servers let's be fancier like that camelcase and I'm gonna create another back-end called back-end app 2 servers and you guessed it right I want to use for app 1 Connect is the same time out for app 1 I know a point should not take more than 10 second right to come to - to execute any request so I'm gonna use a different timeout for the server and server server 2 2 2 2 1 2 7.0 2 0 1 2 2 2 2 and then I want didn't name it correctly 3 127.0.0.1 3 so that's my back end up 1 and I want the timeout for app - I know let's put it more than that I don't know 300 seconds up to is just very expensive some I don't know color it's prime numbers and stuff so server 4 4 4 4 127.0.0.1 + 4 4 4 4 and then you do server five five five five one two seven two zero two zero two one five five five five sweet sweet guys that looks good all that stuff is good right so now that all what we need is them for in the front end we need to do a condition here guys and the condition is here's a thing I want to use an ACL which is the access control lists right and I'm gonna create a new control s called Airport right this is a brand new controllers called and that app 1 is nothing but path and if the path ends with app 1 I want you to call this request app 1 and if that path ends with app - I want you to call it app - and here's stealth this doesn't really flips the back ends right and here's the cool part there is a command called use backend use underscore back-end I want you to use the back end that is called app 1 servers which is this guy if app 1 if the request is of type app 1 then use this app 1 servers forgot to add one and I want you to use app 2 servers if the request of type app 2 K in other ways that you can do the whole thing here as a curly brace say I'm gonna show how to do that you don't have to define it this way this is just one way to doing things right and there's all the exact examples in the configuration I took it and made it my own obviously I took it from the actual edge a proxy so I'd documentation I'm gonna reference it below right and I just took it and just roll my own essentially ideas ok around it okay so how about we test this thing now anything that goes enjoyed app 1 will go to this server back-end which is just 2 2 & 3 3 if it's app 2 it will goes to this guy - these puppies right if it's anything else it will use what the default back-end which is what all the servers how about we do that save who we can yell that let's see what's going on tries to use in compare TCB back-end that's what we'll talk about if you're using a tcp back and for an HDTV front end i'm glad that we run into this problem guys so the problem is here is you're using an HTTP front-end but the back end is actually TCP right because that's the default right so how do you fix it I want mode HTTP ok and I won't here mod HTV now oh guys the default section becomes very handy because like a everything if I don't specify use this defaults please right that's what were the defaults come in handy but I didn't want to introduce it in the beginning because it will be confusing and I think I think you agree with me guys right now you really know when to what to add right please guys do yourself a favor never copy anything and paste it and run with it right d please use collateral knowledge right anything you want to learn learn it and then understand why are you doing it this way because every code you put there's a meaning for it and when you understand and you become a better software engine you become a better it's our engineer better developer never copy stuff from Stack Exchange I beg you guys never do this ok let's do this say no more errors because if you get an error you understand you'll learn that's how life works for God's sake right let's do this now now Oh up to we're only round dropping from four four four and five five five five how foolish is this guys right how cool is this right and Happ one is actually it's just round row in front 2 2 & 3 3 and if I do just the homepage it's going through all of them two three four five two three four five two three four out two three four hut two three but okay sweet sweet sweet okay I want to do one more thing I want to do I don't show the balancing algorithms okay let's see app one is a bad application that it's written very stateful II okay I'm not saying mistakes for applications or bad I'm just exactly saying that states for application all bad that's contradictory right so our porn is a stateful application and requires to be sticky right and that means if you connect to me for the first time from the client right I'm always been forward all the requests to one and only one back-end okay so in this case I'm gonna use the balance called a node Bansi called source I think there is a least connect you can play with those guys that is the round robin is the default if I don't specify but the balance called source here that means app 1 let's see I didn't really test that so it'll be interesting ok so if I go here I'm going through all of them if I go to app 1 I didn't do I didn't change the I'll go them so I'm up to let's go dive to app - flipping app one stuck to three because we told AJ proxy and since my client IPL is not changing obviously unless I this can restore my perhaps my router to get a brand new IP address that will change but as long as I have the same client IP address this is gonna remain the same thing okay okay probably if I connect from my phone this is gonna be different right I didn't try it but I'm gonna try it I might show it here okay I'm not sure but it's gonna be the same thing essentially okay so that's that's the idea so we've shown this stuff we shown all that stuff what's next guys the admin page I want to block this thing guys I don't want anyone to access admin so again I don't want anyone to access the admin from the localhost perspective okay I want no one to access this really okay only when they go directly to to the application like five five five five five slash admin they can access that I want to do just that right so this this is open but I want to block this how do I do this okay very simple stuff let's do it them tested CFG I'm gonna copy oh by the way guys all this configuration will be available for you guys on the description I'm gonna do a github page all that jazz still recording cool what else yes so what I want to do here is do another ACL where if the path begins with a admin I want to block it how do I do that but I'm gonna do it in a fancier way now you can do it still a CL and define like I don't know block admin whatever but you can do it this way as well HTTP sir HTTP request I want to deny any requests if and you can put the ACL between brackets like that this is exactly like that right alright so what I want to do if that path has in it here's the thing f - I - M begins with admin I want to block that thing okay how do we do that let's let's start to do it okay alright I do look at most we go forbidden that's pretty cool guys isn't it so now anything that begins with admin will be blocked right and you can I'm gonna reference all these ACLs guys all right you can do so much stuff with H a proxy it's amazing guys really for an open source software man kudos for everyone who worked on this beast of a software alright so what if I do I can access that directly and probably if you have access to the backend server that means you are already at menu SSA store stuff right but public people cannot access this stuff anymore all right Before we jump to the other top which is doing HTTP how about we create a domain okay and using go to the know IP comm create a domain and then make it point to my public IP address right my public IP address connects to my router obviously my router I open to port 80 and 443 to flow through my machine which is MAC address let's go show you that part alright guys so I'm here in my router I have done this before you probably can do this as a same thing right my device is called has a Mac this is my public IP address right currently and I made two rules if it's HTTP anyone coming to public IP address going through port 80 I wanted to forward it to Hussein Mac to my machine which is also will be running hae proxy probably on port 80 and if say they doing through 443 take them to my machine as well so that's the two rules I have here so if I took my public IP address now just as it is yeah and let's first run are we running at a proxy yes we are okay Jeff Fox is running so if I took my public IP address and you do that it works right even from my phone if I did that worse but public IP addresses are ugly so what we do we go to new IP to come create a domain for us and then have that domain points to the IP address all right so this is probably the easiest thing go to no IP comm guys and just sign ants free and what I'm gonna do here is create a hostname essentially I'm gonna go ahead and create a new hostname DNS right and I don't care anything really and you get a bogus free domain right because you don't care because you're not paying for this thing right so you get a bogus a record that's what we want we're gonna get created a record host hostname so ddns dotnet I'm gonna call it a sane HAF proxy I was saying proxy something like that right anything I don't think anyone there's a H Hossein proxy the DNS doesn't it that's more that would be my website and we're going to be pointing to my IP address which we just proved it works right so I'm gonna go ahead and create a hostname and now this thing if I do this after a while takes time to update I'm gonna refresh whenever it's happened right whatever this updates it's gonna take some time but once it updates it works immediately it's gonna work okay so that took about three minutes or so actually less than that now I have a public website Hossein proxy dot DNS dotnet it's not secure why it's something it's working right so now you have the basic pieces right so let's talk through this a little bit I have a DNS oh no I Peter calm that points to my public IP address which is my router my local router on my machine my local network my router I can forget a rule to forward port 80 and 443 obviously this is just port 80 because it's not secure and 443 will come in the future when we enable HTTPS in a minute but port 80 forwards to my machine which is forward to localhost right if I do localhost right that's my machine or just the same Mac is another thing you can do it this way all of them goes to my machine right cool my machine essentially goes to the a proxy it's a proxy talk to five for back-end servers ghoulish goulash how about we start enabling my HTTP these are the basic stuff do you need the next step we're gonna connect to a let's encrypt gets a certificate get a probably key to the private key okay merge them into one file give it to a chair proxy since hecha proxy please listen on port 443 because now you're dope like that okay you can listen on that thing you're gonna start encrypting stuff for me okay and then we're gonna finish this sheet TPS how about that let's do it okay so first thing you want to do is kill a a proxy now because nothing is knowing on port 80 so if I do if I start doing this this will fail right this will stay connecting will say connecting and then I will just die right because it's not running cool what we want to do is actually in a store a library called let's encrypt so we're gonna go on as install it brew install let's encrypt encrypt so that will install something called cert bot which will create a certificate for us okay so let's go ahead and install it I'm not sure about the commands for abt for for a bunt or other time but just look them up it's just like we're gonna install this lesson credit I'm gonna difference.the the libraries to do that thing okay now we have third pot this will allow us to generate a certificate and the certificate is which identifies a server as a public IP as a certificate authority let's encrypt is a certificate authority that tells that Hussein proxy das dotnet is a legit thing that is registered with us and we know him and he's good and he's a good guy right so that's what the certificate is essentially generates to file so let's go ahead and generate this public key private and you're a few confuse about public and privately we made a video about encryption I'm gonna reference it here guys go check them out I really recommend you understand that stuff and TLS all that stuff I really recommend you stand how the stuff works try it because I have once of my time I didn't understand I just got that rumor research and learned it and I made a video so everybody can also learn because that's the goal of this channel everybody can learn become a better software engineer altogether alright so now what we need to do is generate essentially yeah a certificate and in order to do that we need to use sudo because it's going through a certain directories and this general this if you think about it these private key public key are very secure you probably only need your root to access those stuff right so if you do sudo cert bot right cert only you can do cert but because you just installed a sink read/write on your Mac ok and you do - - standalone and here's the thing you're gonna get asked some questions guys ok you gonna stay for your password just wanna tell your password for that that's the Mac password right plug is whining here's the thing now it's asking for my email address okay you can leave it but you can you can also put in an email address I'm gonna put my email address feel free to contact me it's okay guys now even just so they can email you in case something happened right and this is my email address and the next step is like what is it okay please read this first can again I agree to the things right I agree right the next thing is like hey would you be willing to share your email address with Electric no I don't want to share okay and now please enter your domain name comma separator you can have multiple domain names what's my domain name is called the same proxy I hope I don't butcher it's called dot d DNS and it's very critical guys that you're not already listening to port 80 because what this thing does it actually listens to port 80 is that that's probably why it's running a sudo right as well because it needs to the students on port 80 so it can communicate with the lesson encrypt and it just just does some negotiation it's like okay this machine is actually Hossein proxy DNS dotnet we believe this guy he's cool right we do that and just like that it's just communicating listening to port 80 and we have two beautiful things here guys we get this public key with this this private key yeah public key private key private key just your server knows about it public key everybody should know about it it's okay we don't care okay but here's the thing about H a proxy I don't really like but sure they won't click this way AJ proxy won't one file only they don't like the two files right so you have to merge this two files into one it's no really big deal but what do you do essentially is you cat this with this and you T it into another file that's just a common thing right so you take the content of this take the content of this merge it right to twinam file and give that file to H a a proxy right so how about we do that guys okay so we're gonna do is I'm gonna copy this guy OOP then and do sudo because all of these locations are very secure they are Etsy stuff right so you cannot just exited without you so you have to need sudo Ram so you sudo cat take the content of this thing all right and take the content of this thing copy don't listen take the content of this thing and type it this will give you a results right because this will cat will take the content take the content and will give you the result and that I don't want to print it I want to write to another file I want to write it to pseudo T right T is actually right takes the input from this first parameter and write it somewhere else I just want to write it okay bad idea but you can just decide to write it anywhere you want right what I'm gonna write it in a specific directory right let's do that so I'm gonna write it to users Hossein Nasr proxy which is the folder we're in it I'm gonna call it h a proxy dot PE M which is the which is this extension the same thing but now this guy have both a private key and a public key right and it is in the same directory how about that guys right so now if I do LS you have the H a proxy door boom so technically you can go to test to see if E is a CFG the configuration and let's bind four four three guys okay I'm gonna bind and the same you can do the same let's change the front end here I call it now HTTP and HTTP whatever right because now it's actually there 443 and here's the thing you can stop here but that's what you're not gonna have any TLS right we won't TLS baby we won't deal it so how do we do TLS very simple let's let's try I'm good again all these configuration won't be in the description guys okay so what do you do for four three you bind it for was a but you want this SL right and so that means you want I don't want suppose it says SSL but it's actually TLS nobody uses SSL three version that's bad idea you don't want to be down you don't do a downgrade attack right that will be bad and then CRT okay the certificate where's my certificate man where is it it's on users the same nozzle proxy it's called H a proxy dot P no.4 I nailed that path I'm sure okay and that's it really right that's the only thing we need just to support HTTP 1 1 right 1 GB 2 is a little bit extra parameter that we're gonna talk about that in a minute let's do that now if I do actually a proxy - f test look at that oh guys look at that we're getting a new message now it says son 200 s is of the default D H parameter it says 1024 by default if your workload permits it one bit up to do what the heck does a me so TLS by default especially the latest version 1.5 which which is a proxy thankfully supports right uses diffie-hellman that's what the D H stands for diffie-hellman and we talked about that and the encryption video in the TLS video and every Hellman ephemeral specifically different human uses it hi there's like a bit size of the keys right 1024 2048 right so the default for my computer for some reasons it's 1,024 it's a proxy still telling us this is a bad idea because thousand 24 we're gonna take I don't know five years to break right we won't use 2020 2048 so it can take 35 years to break a key okay I'm being sarcastic here what it is just a good idea to make your bit sizes as high as possible take one into consideration that means if your processor support said because that's a crypto stuff right more bits more power more money more problem right that's what happens right so if you have more money just add more or more bits okay good stuff I'm gonna shut up right now all right guys were secured now let's just it alright so this is the HTTP version not secure what happen if I do aesthetically else holy moly look at that I'm secure babes I'm secure valid certificate and stuff look at that look at that and you can access from my phone as secure um this sort of is valid all that jazz and this is public I can give you this link and will work right all the logic we did app one app one our Z app one is now stuck to to to to to right uh did I change my IP address I don't think I remember changing it looks like it did app - is doing that thing home is just funneling through all that stuff and admin is inaccessible because I'm secure I'm sending this publicly to people - shady people right you don't want to see shady people to access admin right but shady people will never have access to your localhost five five five five admin right they don't have access to this thing anymore right why is this oh this is HTTP so ya get it guys alright I'm secure all that jazz but it is my beef with this thing if i go here and i refresh what do this thing what century is this HDTV 1-1 seriously i'm secure and you're telling me i this is secure with HTTP 1-1 boo we want to be two babes how do we do it - dB - easy-peasy japanesey you go to tester config and mr. h a proxy version - I think one point eight support is actually but you can just add an extra parameter here on the end and here's what we're gonna do we're gonna explain this thing okay application layer protocol negotiation we're gonna talk we talked about application layer protocol negotiation this is the coolest thing that underappreciated protocol and the entire software engineering okay nobody gives rat's ass about this protocol but it's one of the most important thing right application layer protocol negotiation is an extension of TLS and since you're doing tier especially 1.3 which is what a share proxy does we're doing in one round-trip versus what - and back in one - right now someone I think Google this I think Google cranium might be wrong correct me if I'm wrong Google said screw this I don't want to negotiate my protocol after TLS right because that's just another just another request because they say hey HTTP upgrade WebSocket HTTP our grid h2 right I want to go to http to upgrade me this stuff is nasty guys you do not do another request because you'll be you will be essentially a victim could be potentially a victim office SSL stripping right because an man-in-the-middle attack can sniff that HTTP up a greater course and say nope right the server doesn't support HTTP 2 there and then they force the client to communicate with HTTP and then kind of this is a kind of downgrade attack if you think about it right it will just more like a down a great effect yeah well for it's decided it's did a downgrade attack right and also it will strip the SSL and things it's actually both attacks yeah that's why Google said you know what what if all of this deals negotiation we said let us do this thing during negotiation so TLS is an extension al PN is an extension of TLS that can negotiate protocols during handshake how powerful is this stuff guys okay and after they OPN you can negotiate what h2 which we made a video about because we may with you about everything software engineering because we want to become the best stuff for engineers on the war guys okay so you can do this guy's ALP n h2 right and I want to also support because you might want to remove this but sure you want to support HTTP 1-1 how you support both of them right and all of this will happen during TLS negotiation for you guys a fuel confused about TLS watch the video we did on TLS right it's very over it's like a lot of people yell at me because I don't go very deep on that video but I'm comfortable that level I go there because I'm a software engineer I'm not good and not work engineering I don't know how the headers look like and I don't care frankly okay I am a software engineer I need to know how many round trips happening and that's pretty much it okay if you get the general idea and that's what matters okay all right might be wrong there let's save this thing and let's upgrade ourselves to http e0 are we CTB to yet are we HTTP to sir are we not touched a bit here babe we're HTTP to son we are HTTP to done how kulish is all the stuff guys alright go back to slide let's summarize this time summary oh my god guys this was awesome right I'm happy I did this video right I'm really happy right I learned a lot I'm gonna reference all the resources all the blogs I read during this research so you get you can go stake I credit all of that stuff right okay none of the examples are copy and paste all of the examples are mine right all of the examples you see here are actually I wrote and I never copied anything great I read the ideas I obviously I cannot make it off my ass right I have to read okay unless you were just kind of psychic you and just understand how stuff works right so most of my my stuff I read it from the documentation couple of blogs in that sec okay current and desired the architecture right so we discussed that that's the current that's the design we want to be you enable H a proxy as a layer seven wrote proxy the load balancer that's what we did we talked about the shape proxy you the front-end the backends is all this configuration jazz ACLs right we made a proxy as a TC proxy we saw how it works for full stuff we HGTV proxy later seven proxy as well we don't know about any CLS we did we blocked the admin page like with a CL because now I can look right I can do it if we enable TCP and we didn't SEL it will will not work because proxy a proxy will not have access to the headers or or the geta parameters to do that for you TLS termination cheerless path through powerful concepts guys right and finally we did in a very lengthy example I hope you guys enjoy this share with your friends I'm gonna break this video down and go into my highlight channel if you're interested to actually look for people who just want to learn piece of it right it's obviously not gonna watch the whole video but if you orange that all over you thank you so much really appreciate your support give it a like share with your friend let's make this channel reach as many people as possible so we can help change the lives from their software GA we collectively become better software engineers so you know the next one you guys stay awesome

Info

Channel: Hussein Nasser

Views: 105,488

Rating: undefined out of 5

Keywords: haproxy, haproxy https, haproxy http2, haproxy tutorial, haproxy course

Id: qYnA2DFEELw

Channel Id: undefined

Length: 72min 18sec (4338 seconds)

Published: Fri Dec 27 2019