User talk:Nangel: Difference between revisions

From Alpine Linux
(Created page with "Test Page")
 
No edit summary
Line 1: Line 1:
Test Page
== HAProxy TLS frontend for LXC http backends ==
 
We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service. 
 
=== HAProxy and LetsEncrypt ===
 
1. Set up DNS to point all the domains to the haproxy address(es):
      curly.example.com  A 192.168.0.1
      larry.example.com  A 192.168.0.1
      moe.example.com  A 192.168.0.1
 
2. Get some httpd server running on 127.0.0.1
This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.
  apk add busybox-extras
  /etc/conf.d/httpd:
    # Config for running busybox httpd on loopback address
    # We use it for the ACME auth challenge with Lets Encrypt
                                                               
    HTTPD_OPTS="-p 127.0.0.1:80 -u nobody:nobody -h /etc/haproxy/www"
 
 
  /etc/haproxy/haproxy.cfg
global
uid 65534
gid 65534
log /dev/log uucp
maxconn 8000
 
 
defaults
  maxconn 8000
  timeout connect 15s
  timeout server 30m
  timeout client 30m
  option tcpka
  log global
  option tcplog
  option log-health-checks
  option log-separate-errors
  option forwardfor
  option http-server-close
  mode http
 
stats enable
stats uri /stats
stats realm haproxy\ stats
stats auth letmein:password
 
# For the "./well-known" uris - we send to the local
# busybox httpd process.  This is so haproxy has access
# to the certs from LetsEncrypt
frontend http-in
        mode http
        bind <public_ip>:80
        acl is_acme_uri path_beg /.well-known
        use_backend letsencrypt if is_acme_uri
 
backend letsencrypt
        server letsencrypt 127.0.0.1
 
 
 
 
rc-update add http
rc-update add haproxy
openrc
 
3. Set up acme-client
  apk add acme-client

Revision as of 23:15, 31 December 2017

HAProxy TLS frontend for LXC http backends

We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service.

HAProxy and LetsEncrypt

1. Set up DNS to point all the domains to the haproxy address(es):

      curly.example.com   A 192.168.0.1
      larry.example.com   A 192.168.0.1
      moe.example.com   A 192.168.0.1

2. Get some httpd server running on 127.0.0.1 This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.

 apk add busybox-extras
 /etc/conf.d/httpd:
   # Config for running busybox httpd on loopback address
   # We use it for the ACME auth challenge with Lets Encrypt
                                                                
   HTTPD_OPTS="-p 127.0.0.1:80 -u nobody:nobody -h /etc/haproxy/www"


 /etc/haproxy/haproxy.cfg

global

uid 65534
gid 65534
log /dev/log uucp
maxconn 8000


defaults

 maxconn 8000
 timeout connect 15s
 timeout server 30m
 timeout client 30m
 option tcpka
 log global
 option tcplog
 option log-health-checks
 option log-separate-errors
 option forwardfor
 option http-server-close
 mode http
stats enable
stats uri /stats
stats realm haproxy\ stats
stats auth letmein:password
  1. For the "./well-known" uris - we send to the local
  2. busybox httpd process. This is so haproxy has access
  3. to the certs from LetsEncrypt

frontend http-in

       mode http
       bind <public_ip>:80
       acl is_acme_uri path_beg /.well-known
       use_backend letsencrypt if is_acme_uri

backend letsencrypt

       server letsencrypt 127.0.0.1



rc-update add http rc-update add haproxy openrc

3. Set up acme-client

 apk add acme-client