User talk:Nangel

From Alpine Linux
Revision as of 23:15, 31 December 2017 by Nangel (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

HAProxy TLS frontend for LXC http backends

We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service.

HAProxy and LetsEncrypt

1. Set up DNS to point all the domains to the haproxy address(es):   A   A   A

2. Get some httpd server running on This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.

 apk add busybox-extras
   # Config for running busybox httpd on loopback address
   # We use it for the ACME auth challenge with Lets Encrypt
   HTTPD_OPTS="-p -u nobody:nobody -h /etc/haproxy/www"



uid 65534
gid 65534
log /dev/log uucp
maxconn 8000


 maxconn 8000
 timeout connect 15s
 timeout server 30m
 timeout client 30m
 option tcpka
 log global
 option tcplog
 option log-health-checks
 option log-separate-errors
 option forwardfor
 option http-server-close
 mode http
stats enable
stats uri /stats
stats realm haproxy\ stats
stats auth letmein:password
  1. For the "./well-known" uris - we send to the local
  2. busybox httpd process. This is so haproxy has access
  3. to the certs from LetsEncrypt

frontend http-in

       mode http
       bind <public_ip>:80
       acl is_acme_uri path_beg /.well-known
       use_backend letsencrypt if is_acme_uri

backend letsencrypt

       server letsencrypt

rc-update add http rc-update add haproxy openrc

3. Set up acme-client

 apk add acme-client