Jungle Ran

Setup Haproxy

May 07, 2019

Environment

# haproxy -v
HA-Proxy version 1.6.3 2015/12/25
# cat /etc/issue
Ubuntu 16.04.4 LTS \n \l

Install Haproxy

apt-get update && apt-get -y install haproxy socat

Get SSL Cert

domain='example.com'
curl https://get.acme.sh | sh
export Ali_Key="Visit your dashboard on Aliyun/AlibabaCloud to get it"
export Ali_Secret="Visit your dashboard on Aliyun/AlibabaCloud to get it"
/root/.acme.sh/acme.sh --issue --dns dns_ali -d $domain -d *.$domain --debug
cat /root/.acme.sh/$domain/$domain.cer /root/.acme.sh/$domain/ca.cer /root/.acme.sh/$domain/$domain.key > /etc/ssl/private/$domain.pem

Example Configurations

Config file location: /etc/haproxy/haproxy.cfg.

Example 1: Multi-domain names with SSL
frontend website
    mode http
    # bind 0.0.0.0:443 ssl crt /etc/ssl/private/example1.com.pem crt /etc/ssl/private/example2.com.pem
    bind 0.0.0.0:443 ssl crt /etc/ssl/private
    bind 0.0.0.0:80
    # Force all https.
    redirect scheme https if !{ ssl_fc }
    use_backend example1 if { ssl_fc_sni example1.com }
    use_backend example2 if { ssl_fc_sni example2.com }
    # Add a X-Forwarded-For header
    acl h_xff_exists req.hdr(X-Forwarded-For) -m found
    http-request add-header X-Forwarded-For %[src] unless h_xff_exists

backend example1
  mode http
  server srv1 127.0.0.1:8000

backend example1
  mode http
  server srv2 127.0.0.1:8080

Example 2: One domain with SSL.

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3
	# added one line by J
	tune.ssl.default-dh-param 2048

defaults
	log	global
	mode	http
	# Added two lines here by J
	option forwardfor
	option http-server-close
	option	httplog
	option	dontlognull
	timeout connect 50000
	timeout client  50000
	timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen stats
    bind *:8088
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /stats
    # Change it.
    stats auth username:password
    stats refresh 10s
    stats admin if TRUE

frontend www-http
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend www-backend

frontend www-https
    bind *:443 ssl crt /etc/ssl/private/example.com.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend www-backend

backend www-backend
    redirect scheme https if !{ ssl_fc }
    balance roundrobin
    cookie SERVERID insert indirect nocache
    mode http
    server node1 127.0.0.1:8080 cookie node1

Miscellaneous

Spin up a temp server

Using the python builit-in server

python -m SimpleHTTPServer 8000

or Using the PHP builit-in server

php -S 0.0.0.0:8000

or using dockerc-compose

# docker-compose.yml file
version: "2"
services:
  temp:
    image: nginx
    container_name: temp
    volumes:
      - ./html:/usr/share/nginx/html
    restart: always
    ports:
      - "8000:80"

Links


Jungle Ran

Written by Jungle Ran who lives in Chongqing » Read More
@jungleran