Using HAProxy as a reverse proxy terminating https

Don't just copy this example, but verify parameters ssl-default-bind-options and ssl-default-bind-ciphers to ensure they suit your security needs.

        log   local0
        log   local1 notice
        maxconn 40000
        user haproxy
        group haproxy
        ssl-default-bind-options no-sslv3 no-tls-tickets

        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  http-server-close
        option  http-pretend-keepalive
        option  forwardfor
        option  originalto
        retries 3
        option redispatch
        maxconn 40000
        contimeout      5000
        clitimeout      100000
        srvtimeout      100000

frontend http-in
        bind *:80
        bind *:443 ssl crt /etc/haproxy/cert/cert.pem

        mode http

        # added when SSL forwarding was added; important for Wt
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-Forwarded-Port %[dst_port]

        # if you use letsencrypt, uncomment the following
        ## please use SSL
        #redirect scheme https code 301 if !{ ssl_fc }
        #acl is_letsencrypt path_beg /.well-known/acme-challenge/
        #use_backend letsencrypt3082 if is_letsencrypt

        default_backend myapp

# deploy your wt app with --http-address== --http-port=8080, i.e. only bind on localhost and not on any publicly reachable interfaces!
backend myapp
        server srv check

# in case you use letsencrypt
#backend letsencrypt3082
#        mode http
#        server srv

Using letsencrypt

Please read the documentation for letsencrypt and certbot. After enabling the letsencrypt backend in the configuration above, the following line can be used for creating certificates:

certbot certonly --config /etc/letsencrypt/cli.ini -d --renew-by-default --http-01-port 3082 --agree-tos

We run the standalone letsencrypt server from a cron job every day or so to keep the certificates up to date. This script is:

certbot renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1

if [ $? -ne 0 ]
        ERRORLOG=`cat /var/log/letsencrypt/renew.log`
        echo -e "The Lets Encrypt Cert on `hostname` has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL
        cat /etc/letsencrypt/live/$WEB/fullchain.pem /etc/letsencrypt/live/$WEB/privkey.pem /etc/haproxy/cert/dhparams.pem > /etc/haproxy/cert/cert.pem
        service haproxy reload >> /var/log/letsencrypt/renew.log 2>&1

exit 0

Updated by Wim Dumon about 3 years ago · 3 revisions