Using HAProxy as a reverse proxy terminating https » History » Version 3
Wim Dumon, 08/11/2017 11:50 AM
1 | 1 | Wim Dumon | h1. Using HAProxy as a reverse proxy terminating https |
---|---|---|---|
2 | |||
3 | Don't just copy this example, but verify parameters ssl-default-bind-options and ssl-default-bind-ciphers to ensure they suit your security needs. |
||
4 | |||
5 | <pre> |
||
6 | global |
||
7 | log 127.0.0.1 local0 |
||
8 | log 127.0.0.1 local1 notice |
||
9 | maxconn 40000 |
||
10 | user haproxy |
||
11 | group haproxy |
||
12 | ssl-default-bind-options no-sslv3 no-tls-tickets |
||
13 | ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA |
||
14 | |||
15 | defaults |
||
16 | log global |
||
17 | mode http |
||
18 | option httplog |
||
19 | option dontlognull |
||
20 | option http-server-close |
||
21 | option http-pretend-keepalive |
||
22 | option forwardfor |
||
23 | option originalto |
||
24 | retries 3 |
||
25 | option redispatch |
||
26 | maxconn 40000 |
||
27 | contimeout 5000 |
||
28 | clitimeout 100000 |
||
29 | srvtimeout 100000 |
||
30 | |||
31 | frontend http-in |
||
32 | bind *:80 |
||
33 | bind *:443 ssl crt /etc/haproxy/cert/cert.pem |
||
34 | |||
35 | mode http |
||
36 | |||
37 | # added when SSL forwarding was added; important for Wt |
||
38 | http-request set-header X-Forwarded-Proto https if { ssl_fc } |
||
39 | http-request set-header X-Forwarded-Port %[dst_port] |
||
40 | |||
41 | # if you use letsencrypt, uncomment the following |
||
42 | ## please use SSL |
||
43 | #redirect scheme https code 301 if !{ ssl_fc } |
||
44 | # |
||
45 | #acl is_letsencrypt path_beg /.well-known/acme-challenge/ |
||
46 | #use_backend letsencrypt3082 if is_letsencrypt |
||
47 | |||
48 | default_backend myapp |
||
49 | |||
50 | 2 | Wim Dumon | # deploy your wt app with --http-address==127.0.0.1 --http-port=8080, i.e. only bind on localhost and not on any publicly reachable interfaces! |
51 | 1 | Wim Dumon | backend myapp |
52 | server srv 127.0.0.1:8080 check |
||
53 | |||
54 | # in case you use letsencrypt |
||
55 | #backend letsencrypt3082 |
||
56 | # mode http |
||
57 | # server srv 127.0.0.1:3082 |
||
58 | |||
59 | |||
60 | </pre> |
||
61 | |||
62 | h2. Using letsencrypt |
||
63 | |||
64 | 3 | Wim Dumon | Please read the documentation for letsencrypt and certbot. After enabling the letsencrypt backend in the configuration above, the following line can be used for creating certificates: |
65 | 1 | Wim Dumon | <pre> |
66 | 3 | Wim Dumon | certbot certonly --config /etc/letsencrypt/cli.ini -d foobar.com --renew-by-default --http-01-port 3082 --agree-tos |
67 | 1 | Wim Dumon | </pre> |
68 | |||
69 | We run the standalone letsencrypt server from a cron job every day or so to keep the certificates up to date. This script is: |
||
70 | <pre> |
||
71 | EMAIL=root@foobar.com |
||
72 | WEB=foobar.com |
||
73 | |||
74 | 3 | Wim Dumon | certbot renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1 |
75 | 1 | Wim Dumon | |
76 | if [ $? -ne 0 ] |
||
77 | then |
||
78 | ERRORLOG=`cat /var/log/letsencrypt/renew.log` |
||
79 | echo -e "The Lets Encrypt Cert on `hostname` has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" $EMAIL |
||
80 | else |
||
81 | cat /etc/letsencrypt/live/$WEB/fullchain.pem /etc/letsencrypt/live/$WEB/privkey.pem /etc/haproxy/cert/dhparams.pem > /etc/haproxy/cert/cert.pem |
||
82 | service haproxy reload >> /var/log/letsencrypt/renew.log 2>&1 |
||
83 | fi |
||
84 | |||
85 | exit 0 |
||
86 | </pre> |