Project

General

Profile

Using HAProxy as a reverse proxy terminating https » History » Version 1

Wim Dumon, 09/20/2016 02:39 PM

1 1 Wim Dumon
h1. Using HAProxy as a reverse proxy terminating https
2
3
Don't just copy this example, but verify parameters ssl-default-bind-options and ssl-default-bind-ciphers to ensure they suit your security needs.
4
5
<pre>
6
global
7
        log 127.0.0.1   local0
8
        log 127.0.0.1   local1 notice
9
        maxconn 40000
10
        user haproxy
11
        group haproxy
12
        ssl-default-bind-options no-sslv3 no-tls-tickets
13
        ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
14
15
defaults
16
        log     global
17
        mode    http
18
        option  httplog
19
        option  dontlognull
20
        option  http-server-close
21
        option  http-pretend-keepalive
22
        option  forwardfor
23
        option  originalto
24
        retries 3
25
        option redispatch
26
        maxconn 40000
27
        contimeout      5000
28
        clitimeout      100000
29
        srvtimeout      100000
30
31
frontend http-in
32
        bind *:80
33
        bind *:443 ssl crt /etc/haproxy/cert/cert.pem
34
35
        mode http
36
37
        # added when SSL forwarding was added; important for Wt
38
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
39
        http-request set-header X-Forwarded-Port %[dst_port]
40
41
        # if you use letsencrypt, uncomment the following
42
        ## please use SSL
43
        #redirect scheme https code 301 if !{ ssl_fc }
44
        #
45
        #acl is_letsencrypt path_beg /.well-known/acme-challenge/
46
        #use_backend letsencrypt3082 if is_letsencrypt
47
48
        default_backend myapp
49
50
backend myapp
51
        server srv 127.0.0.1:8080 check
52
53
# in case you use letsencrypt
54
#backend letsencrypt3082
55
#        mode http
56
#        server srv 127.0.0.1:3082
57
58
59
</pre>
60
61
h2. Using letsencrypt
62
63
Please read the documentation for letsencrypt. After enabling the letsencrypt backend in the configuration above, the following line can be used for creating certificates:
64
<pre>
65
letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -d foobar.com --renew-by-default --http-01-port 3082 --agree-tos
66
</pre>
67
68
We run the standalone letsencrypt server from a cron job every day or so to keep the certificates up to date. This script is:
69
<pre>
70
EMAIL=root@foobar.com
71
WEB=foobar.com
72
73
/root/letsencrypt/letsencrypt-auto renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1
74
75
if [ $? -ne 0 ]
76
 then
77
        ERRORLOG=`cat /var/log/letsencrypt/renew.log`
78
        echo -e "The Lets Encrypt Cert on `hostname` has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL
79
 else
80
        cat /etc/letsencrypt/live/$WEB/fullchain.pem /etc/letsencrypt/live/$WEB/privkey.pem /etc/haproxy/cert/dhparams.pem > /etc/haproxy/cert/cert.pem
81
        service haproxy reload >> /var/log/letsencrypt/renew.log 2>&1
82
fi
83
84
exit 0
85
</pre>