kevin's notes

HAProxy

Allgemein

Software for load balancing and HA.

Config:

/etc/haproxy/haproxy.cfg

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen stats
  bind *:8234
  mode http
  stats enable  # Enable stats page
  stats hide-version  # Hide HAProxy version
  stats realm Haproxy\ Statistics  # Title text for popup window
  stats uri /
  stats auth user:secret123

# Frontend configuration for HTTP
# Only listens on port 80 (IPv4 and IPv6)
frontend website_frontend-http
    bind :80
    bind :::80
    mode http
    # ACL for detecting Let's Encrypt validtion requests
    acl is_certbot path_beg /.well-known/acme-challenge/
    use_backend backend-certbot if is_certbot
    default_backend website_backend

# Frontend configuration for HTTPS
# Only listens on port 443 (IPv4 and IPv6)
frontend website_frontend-https
    bind :443 ssl crt /etc/haproxy/ssl/
    bind :::443 ssl crt /etc/haproxy/ssl/
    mode http
    option forwardfor 
    # ACL for detecting Let's Encrypt validtion requests
    acl is_certbot path_beg /.well-known/acme-challenge/ 
    use_backend backend-certbot if is_certbot
    default_backend website_backend

backend website_backend
   balance roundrobin
   server website-node-1 10.100.20.11:443 check ssl verify none
   server website-node-2 10.100.20.12:443 check ssl verify none

# Certbot backend
# Contains certbot stand-alone webserver
backend backend-certbot
    mode http
    server certbot 127.0.0.1:9080

TLS Termination

LetsEncrypt

#!/bin/bash
# Script by Kevin Bentlage - https://kevinbentlage.nl/blog/lets-encrypt-with-haproxy/
# Loop through all Let's Encrypt certificates
for CERTIFICATE in `find /etc/letsencrypt/live/* -type d`; do
  CERTIFICATE=`basename $CERTIFICATE`
  # Combine certificate and private key to single file
  cat /etc/letsencrypt/live/$CERTIFICATE/fullchain.pem /etc/letsencrypt/live/$CERTIFICATE/privkey.pem > /etc/haproxy/ssl/$CERTIFICATE.pem
done

#!/bin/bash

# Script by Kevin Bentlage - https://kevinbentlage.nl/blog/lets-encrypt-with-haproxy/

certbot renew --standalone --preferred-challenges http --http-01-address 127.0.0.1 --http-01-port 9080 --post-hook "/etc/haproxy/prepareLetsEncryptCertificates.sh && systemctl reload haproxy.service" --quiet