one public address and multiserver (web1, we2, webx) setup : how to ?

Hello,
I follow manual (bought here ;-)) and the perfect server nginx, debian 10 (which no correpond to multiserver setup ;-)).
Not so easy to jump from one doc to another when your newbie in ispconfig (lol) ;-)
But i made it !
My setup is protected by a pfsense firewall (in final config we will have 4 public ip adresses, shared on two differents wan link) :

• ns1,
• ns2,
• webmaster (isconfig master gui)
• web1 (server for client' sites , ssh)
• web2 (server for client' sites , ssh)
• db1 (mysql server 1)
• db2 (mysql server 2)
• mail1 (mail server 1)
• mail2 (mail server 2)

THE question is : How to forward http/s request for client sites hosted on web1 AND web2 , with correct URL and so ... with correct cert (let's encrypt)?

On my old setup (no ispconfig) i proceed with HAproxy, then redirect traffic with ACL (exact URL) matching to all ours backends.
Here If i put HAproxy before my "ispconfig" web server ... i lost all the cool features of ispconfig for GUI admin ... :-(

 

The more i test ispconfig the more i think it's not done for multiserver with dedicated services (like i want)
I think i'ts made for several servers BUT with all in one :
server1 : web, db, mail , ftp, jail etc features
server2 : web, db, mail features
server x : ....
And so on , am i wrong ?

 

you say sites on web1 AND web2, are these the same sites being mirrored on both servers or different sites. if they're the same sites it doesn't really matter how you direct the request, do it based on round-robin, source, server load, etc. haproxy does all those perfectly fine. the important part would be to either make the request/connection persistent, or use a shared redis (or similar) instance for the webservers to use for session data.
if they're different sites, you need to redirect based on the domain name part of the request, which you can do like this:

Code:

 frontend https--in
  bind 1.1.1.1:443 ssl crt /etc/haproxy/certs
  mode http
  option httplog
  use_backend bk_1 if { hdr_dom(host) -i www.example.com }     { dst_port 443 }
  use_backend bk_2 if { hdr_dom(host) -i apps.example.com }    { dst_port 443 }
  use_backend bk_3 if { hdr_dom(host) -i www.otherdomain.com } { dst_port 443 }

and just specify the relevant backend sections for each webserver in haproxy.

if you want to use tcp mode with ssl passthrough instead, you could try the accepted answer here: https://stackoverflow.com/questions...gh-to-multiple-domains-with-multiple-backends

 

Hello Th0m,
yes but when we deploy (wordpress) it create DB on webserver "web1" mysql db ...
Not on server "db1" ...
Perhaps i have forgotten something ;-) ?

 

we can't have more than 4 or 6 ipv4 public.
Ipv6 is in the pipe for this infrastructure

 

yep. you've enabled db services on web1. if databases are only going to be on db1 and db2, disable the db service in ispconfig server configs for web1 and web2, and remove them from the clients db client limits, remove them from the limit templates as well if you don't want it to try creating db's on web1 and web2 for new clients as well.

 

"if they're different sites, you need to redirect based on the domain name part of the request,"
Yes that's it.
But did this setup kill , let's encrypt or anything else in ISPconfig setup ?

 

yes.
(Note : addons update list , is not working , repository seem to be down .. error 404)

 

oh yeahh ;-)
And this will no break anything on thoses server ? (break ISPconfig conf on web1 or web 2 ) ?

 

According to you which setup is the best :

1. dedicated server for each roles ?
2. or all in one server (x servers) ?

perf. point of view ?

 

Thank you th0m.
We are an associative webhoster.
Now we have 75 user (so about 6 clients domain ..)
We have two firewall pfsense, two wan links, 3 node with each :

• 96Go RAM,
  
• Bi-xeon X5677,
• 10 slots sATA,
• proxmox on 2 ssd (mdadm).

Ok , let me know if this seems to be correct for you ... (isconfig inside)

 

we got 4 public ip (with ipv6 no issue at all)
This is why haproxy will do the job ;-) (and protect ispconfig !)

 

I have been reading this and all I can say in short, the ISPConfig multiserver should work fine with single or multiple fixed public ip with proper setup and configuration, and since you have 4, it should be more than fine.

I can remember one quite recent thread discussing on using nginx reverse proxy that works for letsencrypt creation and renewal that may be related and useful and which I believe you can surey dig out in this forum.

Other than that, always dry run before running live / production servers, whether you are an experienced / expert web hoster or otherwise as different softwares normally have different ways in doing things.

So, good luck.

 

thank you ahrasis