Difference between revisions of "User talk:Nangel"

From Alpine Linux
Jump to: navigation, search
(Created page with "Test Page")
 
 
Line 1: Line 1:
Test Page
+
== HAProxy TLS frontend for LXC http backends ==
 +
 
 +
We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service. 
 +
 
 +
=== HAProxy and LetsEncrypt ===
 +
 
 +
1. Set up DNS to point all the domains to the haproxy address(es):
 +
      curly.example.com  A 192.168.0.1
 +
      larry.example.com  A 192.168.0.1
 +
      moe.example.com  A 192.168.0.1
 +
 
 +
2. Get some httpd server running on 127.0.0.1
 +
This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.
 +
  apk add busybox-extras
 +
  /etc/conf.d/httpd:
 +
    # Config for running busybox httpd on loopback address
 +
    # We use it for the ACME auth challenge with Lets Encrypt
 +
                                                               
 +
    HTTPD_OPTS="-p 127.0.0.1:80 -u nobody:nobody -h /etc/haproxy/www"
 +
 
 +
 
 +
  /etc/haproxy/haproxy.cfg
 +
global
 +
uid 65534
 +
gid 65534
 +
log /dev/log uucp
 +
maxconn 8000
 +
 
 +
 
 +
defaults
 +
  maxconn 8000
 +
  timeout connect 15s
 +
  timeout server 30m
 +
  timeout client 30m
 +
  option tcpka
 +
  log global
 +
  option tcplog
 +
  option log-health-checks
 +
  option log-separate-errors
 +
  option forwardfor
 +
  option http-server-close
 +
  mode http
 +
 
 +
stats enable
 +
stats uri /stats
 +
stats realm haproxy\ stats
 +
stats auth letmein:password
 +
 
 +
# For the "./well-known" uris - we send to the local
 +
# busybox httpd process.  This is so haproxy has access
 +
# to the certs from LetsEncrypt
 +
frontend http-in
 +
        mode http
 +
        bind <public_ip>:80
 +
        acl is_acme_uri path_beg /.well-known
 +
        use_backend letsencrypt if is_acme_uri
 +
 
 +
backend letsencrypt
 +
        server letsencrypt 127.0.0.1
 +
 
 +
 
 +
 
 +
 
 +
rc-update add http
 +
rc-update add haproxy
 +
openrc
 +
 
 +
3. Set up acme-client
 +
  apk add acme-client

Latest revision as of 23:15, 31 December 2017

HAProxy TLS frontend for LXC http backends

We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service.

HAProxy and LetsEncrypt

1. Set up DNS to point all the domains to the haproxy address(es):

      curly.example.com   A 192.168.0.1
      larry.example.com   A 192.168.0.1
      moe.example.com   A 192.168.0.1

2. Get some httpd server running on 127.0.0.1 This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.

 apk add busybox-extras
 /etc/conf.d/httpd:
   # Config for running busybox httpd on loopback address
   # We use it for the ACME auth challenge with Lets Encrypt
                                                                
   HTTPD_OPTS="-p 127.0.0.1:80 -u nobody:nobody -h /etc/haproxy/www"


 /etc/haproxy/haproxy.cfg

global

uid 65534
gid 65534
log /dev/log uucp
maxconn 8000


defaults

 maxconn 8000
 timeout connect 15s
 timeout server 30m
 timeout client 30m
 option tcpka
 log global
 option tcplog
 option log-health-checks
 option log-separate-errors
 option forwardfor
 option http-server-close
 mode http
stats enable
stats uri /stats
stats realm haproxy\ stats
stats auth letmein:password
  1. For the "./well-known" uris - we send to the local
  2. busybox httpd process. This is so haproxy has access
  3. to the certs from LetsEncrypt

frontend http-in

       mode http
       bind <public_ip>:80
       acl is_acme_uri path_beg /.well-known
       use_backend letsencrypt if is_acme_uri

backend letsencrypt

       server letsencrypt 127.0.0.1



rc-update add http rc-update add haproxy openrc

3. Set up acme-client

 apk add acme-client