- Root on the irc server
- Recent kernel
- C compiler
- haproxy ( or hitch or other ssl offloader with proxy support)
- downloaded copy of https://github.com/cloudflare/mmproxy
The setup is that haproxy listens on the external ip, forwards it to mmproxy also on localhost and mmproxy forwards it to the ircd.
Used ports:
- ip:6697 haproxy, tls
- 127.0.0.1:16697 mmproxy
- 127.0.0.1:6667 ::1:6667 ircd
Most of this is explained in the README.md of mmproxy, so this is what i did outside of the changes mentioned there
This listens on a port (997 and 6697 ) strips the ssl, and redirecs it to 16697 ith a proxy-protocol header
listen irc-in
bind :997 ssl crt /etc/haproxy/cert/
bind ipv6@:997 ssl crt /etc/haproxy/cert/
bind :6697 ssl crt /etc/haproxy/cert/
bind ipv6@:6697 ssl crt /etc/haproxy/cert/
mode tcp
timeout client 15m
default_backend irc
backend irc
mode tcp
timeout server 15m
server localhost 127.0.0.1:16697 inter 1000 send-proxy check-send-proxy
# splitting over multiple mmproxies is possible ofcourse
the systemd service file Listen on 16697 and redirect it to 6667 on ipv4 or ipv6 depending on the incomming proxy header ip.txt contains localhost
[Unit]
Description=IRCD MMproxy Server
After=syslog.target network-online.target unbound.service
Requires=network.target
Wants=network-online.target nss-lookup.target
[Service]
Type=simple
User=ircnet
ExecStart=/usr/local/bin/mmproxy -l 127.0.0.1:16697 -4 127.0.0.1:6667 -6 '[::1]:6667' --allowed-networks /etc/mmproxy/ip.txt
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
LimitNOFILE= 32768
AmbientCapabilities=CAP_NET_ADMIN
[Install]
WantedBy=multi-user.target
Just what mmproxy advices in the manual for connections to localhost
ip rule add fwmark 123 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
ip -6 rule add fwmark 123 lookup 100
ip -6 route add local ::/0 dev lo table 100
Nothing except adding 127.0.0.1:6667 and [::1]:6667 to the listing sockets