Pre-RFC: Universal Reverse Proxy interface

Scrumplex · December 29, 2023, 1:59pm

This RFC proposes a universal interface (using NixOS options) to configure reverse proxies. Think of this as Kubernetes Ingress for NixOS.
This can also be compared to virtualisation.oci-containers but for reverse proxies.

I have not written the core design yet. I wanted to gauge interest in the community for something like this. You can read the current draft here:

github.com

Scrumplex/rfcs/blob/rfc/universal-reverse-proxy-interface/rfcs/0168-universal-reverse-proxy-interface.md

---
feature: universal-reverse-proxy-interface
start-date: 2023-12-29
author: Sefa Eyeoglu
co-authors: (find a buddy later to help out with the RFC)
shepherd-team: (names, to be nominated and accepted by RFC steering committee)
shepherd-leader: (name to be appointed by RFC steering committee)
related-issues: (will contain links to implementation PRs)
---

# Summary
[summary]: #summary

Implement a set of NixOS options to offer a universal interface to configure reverse proxies.
These options can be used by applications to expose themselves independent of the administrator's preferred reverse proxy.

# Motivation
[motivation]: #motivation

Currently a lot of NixOS modules provide opinionated virtual host configurations for Nginx.

This file has been truncated. show original

Summary

Implement a set of NixOS options to offer a universal interface to configure reverse proxies.
These options can be used by applications to expose themselves independent of the administrator’s preferred reverse proxy.

RaitoBezarius · December 29, 2023, 3:40pm

I find this very interesting but as a power user of NGINX, I cannot help myself asking the same question as for the portable service abstraction, how do you plan to handle the divergence in the feature set?

APCodes · December 30, 2023, 11:01am

I, too, find this to be an interesting proposal. But the question of how to use, let’s say NGINX, HAProxy, Traefik through a unified interface is a good one indeed. Maybe we can have some discussion on that? I’d love to see that.

Scrumplex · December 30, 2023, 11:20am

My first idea was to allow implementations to define their own options within this interface.

Then a module could define something like this:

{
  reverse-proxy.services.<name> = {
    upstreams = [...];
    # make expose an attrset to allow multiple hostnames?
    expose = {
      name = "example.tld";
      # ["/"] could be the default?
      paths = ["/"];
    };
    # alias to services.nginx.virtualHosts.<name> 
    nginx.basicAuth = { foo = "bar"; };
    # alias to services.caddy.virtualHosts.<name>
    caddy.extraConfig = ''
      basicauth / {
        foo $2a...
      }
    '';
    traefik = {
      # creates new middleware named `<name>-auth` in dynamic Traefik config
      middlewares.auth.basicAuth.users = [
        "foo:$2a..."
      ];
      # alias to services.traefik.dynamicConfigOptions.http.routers.<name>
      router.middlewares = ["auth"];
      # alias to services.traefik.dynamicConfigOptions.http.services.<name>
      service...
    };
  };
}

Edit: Though, this should only be reserved for very niche use-cases. Common things like rewrites should be behind a universal option.