Project

General

Profile

Actions

h1. Using HAProxy as a reverse proxy terminating https

Don't just copy this example, but verify parameters ssl-default-bind-options and ssl-default-bind-ciphers to ensure they suit your security needs.

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 40000
user haproxy
group haproxy
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option http-pretend-keepalive
option forwardfor
option originalto
retries 3
option redispatch
maxconn 40000
contimeout 5000
clitimeout 100000
srvtimeout 100000

frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/cert/cert.pem

    mode http

    # added when SSL forwarding was added; important for Wt
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port %[dst_port]

    # if you use letsencrypt, uncomment the following
    ## please use SSL
    #redirect scheme https code 301 if !{ ssl_fc }
    #
    #acl is_letsencrypt path_beg /.well-known/acme-challenge/
    #use_backend letsencrypt3082 if is_letsencrypt

    default_backend myapp

deploy your wt app with --http-address==127.0.0.1 --http-port=8080, i.e. only bind on localhost and not on any publicly reachable interfaces!

backend myapp
server srv 127.0.0.1:8080 check

in case you use letsencrypt

#backend letsencrypt3082

mode http

server srv 127.0.0.1:3082

h2. Using letsencrypt

Please read the documentation for letsencrypt and certbot. After enabling the letsencrypt backend in the configuration above, the following line can be used for creating certificates:

certbot certonly --config /etc/letsencrypt/cli.ini -d foobar.com --renew-by-default --http-01-port 3082 --agree-tos

We run the standalone letsencrypt server from a cron job every day or so to keep the certificates up to date. This script is:

EMAIL=root@foobar.com
WEB=foobar.com

certbot renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1

if [ $? -ne 0 ]
then
ERRORLOG=cat /var/log/letsencrypt/renew.log
echo -e "The Lets Encrypt Cert on hostname has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL
else
cat /etc/letsencrypt/live/$WEB/fullchain.pem /etc/letsencrypt/live/$WEB/privkey.pem /etc/haproxy/cert/dhparams.pem > /etc/haproxy/cert/cert.pem
service haproxy reload >> /var/log/letsencrypt/renew.log 2>&1
fi

exit 0

Updated by Wim Dumon over 7 years ago · 3 revisions