Project

General

Profile

Using HAProxy as a reverse proxy terminating https » History » Revision 2

Revision 1 (Wim Dumon, 09/20/2016 02:39 PM) → Revision 2/3 (Wim Dumon, 09/20/2016 02:42 PM)

h1. Using HAProxy as a reverse proxy terminating https 

 Don't just copy this example, but verify parameters ssl-default-bind-options and ssl-default-bind-ciphers to ensure they suit your security needs. 

 <pre> 
 global 
         log 127.0.0.1     local0 
         log 127.0.0.1     local1 notice 
         maxconn 40000 
         user haproxy 
         group haproxy 
         ssl-default-bind-options no-sslv3 no-tls-tickets 
         ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA 

 defaults 
         log       global 
         mode      http 
         option    httplog 
         option    dontlognull 
         option    http-server-close 
         option    http-pretend-keepalive 
         option    forwardfor 
         option    originalto 
         retries 3 
         option redispatch 
         maxconn 40000 
         contimeout        5000 
         clitimeout        100000 
         srvtimeout        100000 

 frontend http-in 
         bind *:80 
         bind *:443 ssl crt /etc/haproxy/cert/cert.pem 

         mode http 

         # added when SSL forwarding was added; important for Wt 
         http-request set-header X-Forwarded-Proto https if { ssl_fc } 
         http-request set-header X-Forwarded-Port %[dst_port] 

         # if you use letsencrypt, uncomment the following 
         ## please use SSL 
         #redirect scheme https code 301 if !{ ssl_fc } 
         # 
         #acl is_letsencrypt path_beg /.well-known/acme-challenge/ 
         #use_backend letsencrypt3082 if is_letsencrypt 

         default_backend myapp 

 # deploy your wt app with --http-address==127.0.0.1 --http-port=8080, i.e. only bind on localhost and not on any publicly reachable interfaces! 
 backend myapp 
         server srv 127.0.0.1:8080 check 

 # in case you use letsencrypt 
 #backend letsencrypt3082 
 #          mode http 
 #          server srv 127.0.0.1:3082 


 </pre> 

 h2. Using letsencrypt 

 Please read the documentation for letsencrypt. After enabling the letsencrypt backend in the configuration above, the following line can be used for creating certificates: 
 <pre> 
 letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -d foobar.com --renew-by-default --http-01-port 3082 --agree-tos 
 </pre> 

 We run the standalone letsencrypt server from a cron job every day or so to keep the certificates up to date. This script is: 
 <pre> 
 EMAIL=root@foobar.com 
 WEB=foobar.com 

 /root/letsencrypt/letsencrypt-auto renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1 

 if [ $? -ne 0 ] 
  then 
         ERRORLOG=`cat /var/log/letsencrypt/renew.log` 
         echo -e "The Lets Encrypt Cert on `hostname` has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL 
  else 
         cat /etc/letsencrypt/live/$WEB/fullchain.pem /etc/letsencrypt/live/$WEB/privkey.pem /etc/haproxy/cert/dhparams.pem > /etc/haproxy/cert/cert.pem 
         service haproxy reload >> /var/log/letsencrypt/renew.log 2>&1 
 fi 

 exit 0 
 </pre>