Totally agree, very well researched!!

Yeah they are super geeky! But often fill in some of the knowledge gaps on a particular topic that others don't mention. So I love them.

I'm working on a Caddy video, planning on migrating my website from Linode object hosting to Caddy on a VPS and there will be a Caddy video when I transition.

Glad you like it!

If the backends can do TLS-ALPN-01 challenges, then the backend server can do ACME on its own. If it can't, you can use L7 forwarding on port 80 (some code for this on the blog post, it's similar to the L4) to let the backend server do its own HTTP-01 challenges.

Same here. Pfsense in a VM, does all the magic.

​@@apalrdsadventures Personally, I'm using DNS-01 challenges via cert-manager in my local k3s cluster. Is k3s/k8s something you have ever dabbled with or have an opinion on?

Kubernetes adds a layer of complexity that isn't necessary for most deployments (it's designed for *very* large scale systems). At smaller scale there are easier to manage solutions. At least Kubernetes does have good design for scalability, Docker networking is a total nightmare.

In IPv4 you'd port forward from OPNsense to the HAProxy server, and in IPv6 I'd create an alias with all of the v6 addresses and another with the ports (80/443) and allow those through the firewall.

@@apalrdsadventures Thanks for the quick reply. I will try that in my setup

ISPs are supposed to keep them sticky for a given DHCPv6 PD client, as long as you keep renewing the DHCP lease on time. In my case, the prefix only changed when Comcast updated their routers in my area, other than that it's been fixed for years at a time.

Temporary addresses “jump around” as your computer/device creates them randomly at startup/connection. Permanent addresses are more fixed because they are either issued by a stateful dhcp server or generated using the MAC address of your device.

At least with Caddy's proxy protocol module, you can specify which CIDR range to expect proxy headers from, so if you set that to the IP of the L4 proxy, it will still work correctly for everyone else.

why not try L3-DSR ? u can preserve the IP there !!!

Yes, you can do that. HAProxy is a full reverse proxy, it's just particularly good at TCP stuff compared to nginx or Caddy. If you are using TLS and can use SNI, you can use a single bind directive in HAProxy and use the same config as the example, but with IPv4s on the different backends. If you aren't using TLS, you probably should be, but also you can add as many IPv6s as you want to a single host, and create an HAProxy frontend for each address (instead of using different ports). From there, each frontend can go to a specific backend. You can also create multiple frontends on different ports of the same IP if that's what you like better. And HAProxy can also terminate TLS like nginx/Caddy, but Caddy would probably be easier to setup since it can handle certificate renewal automatically.

@@apalrdsadventures I am not deeply involved into this subject, but it is only intended to make a IP-Camera rtsp -Stream accessible over a public IPv6 address. And as clients on the internet you chose VLC or Kodi to render the Video-Stream. There is no additional security setup needed (TLS, Certificate) nor more than one domain per Server-IP (SNI). If you could provide an configuration example / Link?

RTSP also relies on RTP (over UDP) for data, so it's not as easy as just port-forwarding since it uses two different ports. You'll probably want a restreamer like go2rtc, which connects to the RTSP+RTP backend and separately exposes an RTSP+RTP frontend.

Probably a strong distrust of Oracle as a company

@@apalrdsadventures i hear ya, but its a lot of VPS for free

HAProxy is particularly good at layer 4 stuff, which is what I'm doing. If I was doing a TLS-terminating proxy I would be using something else.

Nginx is a web server first.

I'm using Certmagic in Caddy on the backend server, so the certificate is only in one place