User talk:Nangel: Difference between revisions

Wiki License Update 2022

Hello, I found the warning you have put on the frontpage, please see my re-licensing message on my wiki user page. Thanks a lot! (--Sb1 (talk) 11:24, 29 January 2022 (UTC))

HAProxy TLS frontend for LXC http backends

We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service.

HAProxy and LetsEncrypt

1. Set up DNS to point all the domains to the haproxy address(es):

      curly.example.com   A 192.168.0.1
      larry.example.com   A 192.168.0.1
      moe.example.com   A 192.168.0.1

2. Get some httpd server running on 127.0.0.1 This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.

 apk add busybox-extras
 /etc/conf.d/httpd:
   # Config for running busybox httpd on loopback address
   # We use it for the ACME auth challenge with Lets Encrypt
                                                                
   HTTPD_OPTS="-p 127.0.0.1:80 -u nobody:nobody -h /etc/haproxy/www"

 /etc/haproxy/haproxy.cfg

global

uid 65534
gid 65534
log /dev/log uucp
maxconn 8000

defaults

 maxconn 8000
 timeout connect 15s
 timeout server 30m
 timeout client 30m
 option tcpka
 log global
 option tcplog
 option log-health-checks
 option log-separate-errors
 option forwardfor
 option http-server-close
 mode http

stats enable
stats uri /stats
stats realm haproxy\ stats
stats auth letmein:password

1. For the "./well-known" uris - we send to the local
2. busybox httpd process. This is so haproxy has access
3. to the certs from LetsEncrypt

frontend http-in

       mode http
       bind <public_ip>:80
       acl is_acme_uri path_beg /.well-known
       use_backend letsencrypt if is_acme_uri

backend letsencrypt

       server letsencrypt 127.0.0.1

rc-update add http rc-update add haproxy openrc

3. Set up acme-client

 apk add acme-client