| Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung |
| haproxy [19/01/2020 - 09:34] – [Neue Zertifikate bestellen] thommie3 | haproxy [05/03/2024 - 10:52] (aktuell) – Externe Bearbeitung 127.0.0.1 |
|---|
| ====== Allgemeine Konfiguration ====== | ====== Allgemeine Konfiguration ====== |
| |
| [[https://cbonte.github.io/haproxy-dconv/2.1/configuration.html|https://cbonte.github.io/haproxy-dconv/2.1/configuration.html]] | [[http://cbonte.github.io/haproxy-dconv/]] |
| | |
| | Konfiguration verifizieren |
| | |
| | <code> |
| | /usr/sbin/haproxy -c -V -f /etc/haproxy/haproxy.cfg |
| | </code> |
| | |
| | ====== Aktuelle Versionen ====== |
| | |
| | https://haproxy.debian.net/ |
| | |
| | (Standard Focal hat nur V. 2.0) |
| |
| ====== HAPROXY als SSL Accelerator ====== | ====== HAPROXY als SSL Accelerator ====== |
| |
| Vorteil: **keine separaten IP Adressen nötig!** Konzept: HAPROXY horcht auf 80 und 443, der Webserver horcht nur auf localhost, z.B: 127.0.0.1:82, 83, 84… HAPROXY erkennt Requests über den Host Header und leitet auf den entsprechenden Port auf localhost um. Zertifikate werden durch haproxy bereitgestellt | Vorteil: **keine separaten IP Adressen nötig!** Konzept: HAPROXY horcht auf 80 und 443, der Webserver horcht nur auf localhost, z.B: 127.0.0.1:82, 83, 84… HAPROXY erkennt Requests über den Host Header und leitet auf den entsprechenden Port auf localhost um. Zertifikate werden durch haproxy bereitgestellt |
| ===== Frontend =====<code> | ===== frontend ===== |
| | <code> |
| |
| frontend default | frontend default |
| ===== Konfiguration HAPROXY ===== | ===== Konfiguration HAPROXY ===== |
| |
| **frontend**<code> | **frontend** |
| | <code> |
| |
| frontend le-frontend | frontend le-frontend |
| </code> | </code> |
| |
| ===== Zertifikate ===== | ===== Neue Zertifikate bestellen ===== |
| | |
| | <code> |
| | certbot certonly --standalone -d zammad.netzwissen.de --non-interactive --agree-tos --email admin@netzwissen.de --http-01-port=8888 |
| | |
| | </code> |
| | |
| | * ''-standalone'' - Create a stand-alone web server to listen for the cert authorization HTTP request |
| | * ''-d [domain]'' - The domain we're creating a cert for. You can use multiple ''-d'' flags for multiple domains for a single certificate. The domain(s) must route to the server we're creating a cert for (DNS must be setup for the domain). |
| | * ''–non-interactive –agree-tos –email admin@example.com'' - Make this non-interactive by saying as much, agreeing to the TOS, and informing LetsEncrypt of the email to use to send "YOUR CERT IS EXPIRING" notifications. |
| | * ''–http-01-port=8888'' - The Magic™. This tells the stand-alone server to listen on port 8888. Note that LetsEncrypt will //still// send the authorization HTTP request over port **80** and haproxy with redirrect requests over port 8888. The flag is ''http-01'' because it expects an ''HTTP'' request, NOT an ''HTTPS'' request. |
| | ===== Zertifikate zusammenbinden ===== |
| |
| cert und key müssen in **einer Datei **vorliegen: | cert und key müssen in **einer Datei **vorliegen: |
| | |
| <code> | <code> |
| ''cat /etc/letsencrypt/live/demo.scalinglaravel.com/fullchain.pem \ | ''cat /etc/letsencrypt/live/demo.scalinglaravel.com/fullchain.pem \ |
| </code> | </code> |
| |
| HAProxy expects an SSL certificate to all be in one file which includes the certificate chain, the root certificate, and the private key. HAProxy has the private key in a separate file, so our last step is to combine the files into something HAProxy can read. | ===== Erneuern ===== |
| | |
| ==== Neue Zertifikate bestellen ==== | |
| |
| | Zertifikate werden über –force-renewal einmal pro Monat per cron über ein Shellscrip aktualisiert und neu zusammengebunden |
| <code> | <code> |
| certbot certonly --standalone -d zammad.netzwissen.de --non-interactive --agree-tos --email admin@netzwissen.de --http-01-port=8888 | |
| | #!/usr/bin/env bash |
| | |
| | # Renew the certificate |
| | certbot renew --force-renewal --tls-sni-01-port=8888 |
| | |
| | # Concatenate new cert files, with less output (avoiding the use tee and its output to stdout) |
| | bash -c "cat /etc/letsencrypt/live/forum.netzwissen.de/fullchain.pem /etc/letsencrypt/live/forum.netzwissen.de/privkey.pem> /etc/ssl/haproxy/forum.netzwissen.de.pem" |
| | bash -c "cat /etc/letsencrypt/live/zammad.netzwissen.de/fullchain.pem /etc/letsencrypt/live/zammad.netzwissen.de/privkey.pem> /etc/ssl/haproxy/zammad.netzwissen.de.pem" |
| | |
| | # Reload HAProxy |
| | service haproxy reload |
| |
| </code> | </code> |
| |
| * ''-standalone'' - Create a stand-alone web server to listen for the cert authorization HTTP request | ====== Domain Umleitung (301) ====== |
| * ''-d [domain]'' - The domain we're creating a cert for. You can use multiple ''-d'' flags for multiple domains for a single certificate. The domain(s) must route to the server we're creating a cert for (DNS must be setup for the domain). | |
| * ''–non-interactive –agree-tos –email admin@example.com'' - Make this non-interactive by saying as much, agreeing to the TOS, and informing LetsEncrypt of the email to use to send "YOUR CERT IS EXPIRING" notifications. | |
| * ''–http-01-port=8888'' - The Magic™. This tells the stand-alone server to listen on port 8888. Note that LetsEncrypt will //still// send the authorization HTTP request over port **80** and haproxy with redirrect requests over port 8888. The flag is ''http-01'' because it expects an ''HTTP'' request, NOT an ''HTTPS'' request. | |
| | |
| ==== Erneuern ==== | |
| |
| <code> | <code> |
| ''sudo certbot renew --tls-sni-01-port=8888'' | acl demoredirect hdr_dom(host) -i demofolder.com |
| | acl demoredirect hdr_dom(host) -i www.demofolder.com |
| | http-request redirect location https://briansnelson.com/demofolder/ code 301 if demoredirect |
| </code> | </code> |
| |
127.0.0.1