Fix issues with config in readme.rst
This commit is contained in:
parent
09d2c1edb3
commit
9d92c20e80
120
README.rst
120
README.rst
|
@ -11,7 +11,7 @@ take additional steps during the installation.
|
|||
- Debian Jessie (or higher) or Ubuntu Trusty (or higher).
|
||||
- Python 2.7 (2.6 is supported by certbot and our goal is to be compatible but
|
||||
it has not been tested yet).
|
||||
- HAProxy 1.5+ (we will configure SNI, which is not strictly required)
|
||||
- HAProxy 1.6+ (we will configure SNI, which is not strictly required)
|
||||
- Certbot 0.8+
|
||||
|
||||
Installing: Getting started
|
||||
|
@ -106,9 +106,10 @@ In order to let Certbot run as an unprivileged user, we will:
|
|||
automatic renewal of certificates can be run by this user.
|
||||
- Tell Certbot that the working directories are located in ``certbot``'s home
|
||||
directory.
|
||||
- Optionally: add your own user account to the Cerbot user's group so you can
|
||||
- Optionally: add your own user account to the Certbot user's group so you can
|
||||
run Certbot manually.
|
||||
- Allow HAProxy to access the certificates that are generated by Certbot.
|
||||
- Allow the certbot user to restart the HAProxy server.
|
||||
|
||||
Lastly, to do automatic renewal of certificates, we will create a systemd timer
|
||||
and a service to start at every boot and every 12 hours, at a random time off
|
||||
|
@ -130,7 +131,7 @@ web hosting environment - you can add those users to the ``certbot`` group.
|
|||
|
||||
usermod -a -G certbot [ADD YOUR USER HERE]
|
||||
|
||||
You will also need to tell your user what the working directory of your Cerbot
|
||||
You will also need to tell your user what the working directory of your Certbot
|
||||
setup is (/opt/certbot/). Certbot allows you to create a configuration file
|
||||
with default settings in the users' home dir:
|
||||
``opt/certbot/.config/letsencrypt/cli.ini``.
|
||||
|
@ -148,6 +149,14 @@ Besides the working directory.
|
|||
|
||||
Next time you run Certbot, it will use our new working directory.
|
||||
|
||||
Now to allow the certbot user to restart HAProxy, put the following in the
|
||||
sudoers file:
|
||||
|
||||
.. code:: bash
|
||||
cat <<EOF >> /etc/sudoers
|
||||
%certbot ALL=NOPASSWD: /bin/systemctl restart haproxy
|
||||
EOF
|
||||
|
||||
Now we haven't done one very essential thing yet, install ``certbot-haproxy``.
|
||||
Since our plugin is in an alpha stage, we did not package it yet. You will need
|
||||
to get it from our Gitlab server.
|
||||
|
@ -184,15 +193,14 @@ together a configuration that works for you.
|
|||
|
||||
# Default ciphers to use on SSL-enabled listening sockets.
|
||||
# Cipher suites chosen by following logic:
|
||||
# - Authenticated ciphers first
|
||||
# - SHA384/256 first, then SHA for compatibility
|
||||
# - Bits of security 128>256 (weighing performance vs added security)
|
||||
# - Key exchange: EECDH>DHE (faster first)
|
||||
# - Mode: GCM>CBC (streaming cipher over block cipher)
|
||||
# - Ephemeral: All use ephemeral key exchanges
|
||||
# - Explicitly disable weak ciphers and SSLv3
|
||||
ssl-default-bind-ciphers AES128+AESGCM+EECDH+SHA256:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:-SHA:AES128+AESGCM+EECDH+SHA256:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!3DES:!DSS
|
||||
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
|
||||
#ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
|
||||
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||
ssl-dh-param-file /opt/certbot/dhparams.pem
|
||||
|
||||
defaults
|
||||
|
@ -214,49 +222,49 @@ together a configuration that works for you.
|
|||
frontend http-in
|
||||
# Listen on port 80
|
||||
bind *:80
|
||||
mode http
|
||||
# Listen on port 443
|
||||
# Uncomment after running certbot for the first time, a certificate
|
||||
# needs to be installed *before* HAProxy will be able to start when this
|
||||
# directive is not commented.
|
||||
#
|
||||
## bind *:443 ssl crt /opt/cerbot/haproxy_fullchains
|
||||
bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains
|
||||
|
||||
# Forward Cerbot verification requests to the certbot-haproxy plugin
|
||||
# Forward Certbot verification requests to the certbot-haproxy plugin
|
||||
acl is_certbot path_beg -i /.well-known/acme-challenge
|
||||
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
|
||||
rspadd X-Frame-Options:\ DENY
|
||||
use_backend certbot if is_certbot
|
||||
# The default backend is a cluster of 4 Apache servers that you need to
|
||||
# host.
|
||||
default_backend nodes
|
||||
|
||||
backend certbot
|
||||
log global
|
||||
mode http
|
||||
server certbot 127.0.0.1:8000
|
||||
|
||||
# If redirection from port 80 to 443 is to be forced, uncomment the next
|
||||
# line. Keep in mind that the bind *:443 line should be uncommented and a
|
||||
# certificate should be present for all domains
|
||||
# redirect scheme https if !{ ssl_fc }
|
||||
backend certbot
|
||||
log global
|
||||
mode http
|
||||
server certbot 127.0.0.1:8000
|
||||
|
||||
# You can also configure separate domains to force a redirect from port 80
|
||||
# to 443 like this:
|
||||
# redirect scheme https if !{ ssl_fc } and [PUT YOUR DOMAIN NAME HERE]
|
||||
|
||||
# The default backend is a cluster of 4 Apache servers that you need to
|
||||
# host.
|
||||
default_backend nodes
|
||||
backend nodes
|
||||
log global
|
||||
balance roundrobin
|
||||
option forwardfor
|
||||
option http-server-close
|
||||
option httpclose
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
|
||||
server node1 127.0.0.1:8080 check
|
||||
server node2 127.0.0.1:8080 check
|
||||
server node3 127.0.0.1:8080 check
|
||||
server node4 127.0.0.1:8080 check
|
||||
# If redirection from port 80 to 443 is to be forced, uncomment the next
|
||||
# line. Keep in mind that the bind *:443 line should be uncommented and a
|
||||
# certificate should be present for all domains
|
||||
redirect scheme https if !{ ssl_fc }
|
||||
|
||||
backend nodes
|
||||
log global
|
||||
mode http
|
||||
option tcplog
|
||||
balance roundrobin
|
||||
option forwardfor
|
||||
option http-server-close
|
||||
option httpclose
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
|
||||
server node2 hn222.greenhost.nl:80 check
|
||||
server node1 hn227.greenhost.nl:80 check
|
||||
EOF
|
||||
|
||||
systemctl restart haproxy
|
||||
|
@ -295,6 +303,44 @@ After you run certbot successfully once, there will be 2 certificate files in
|
|||
the certificate directory. This is a pre-requisite for HAProxy to start with
|
||||
the ``bind *:443 [..]`` directive in the configuration.
|
||||
|
||||
You can auto renew certificates by using the systemd service and timer below.
|
||||
They are set to run every 12 hours because certificates that *will not* expire
|
||||
soon will not be replaced but certificates that *will* expire soon, will be
|
||||
replaced in a timely manner. The timer also starts the renewal process 2
|
||||
minutes after the server boots, this is done so renewal starts immediately
|
||||
after the server has been offline for a long time.
|
||||
|
||||
.. code:: bash
|
||||
cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
||||
[Unit]
|
||||
Description=Run Let's Encrypt every 12 hours
|
||||
|
||||
[Timer]
|
||||
# Time to wait after booting before we run first time
|
||||
OnBootSec=2min
|
||||
# Time between running each consecutive time
|
||||
OnUnitActiveSec=12h
|
||||
Unit=letsencrypt.service
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
EOF
|
||||
|
||||
cat <<EOF > /etc/systemd/system/letsencrypt.service
|
||||
[Unit]
|
||||
Description=Renew Let's Encrypt Certificates
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/certbot renew -q
|
||||
EOF
|
||||
|
||||
# Enable the timer and start it, this is not necessary for the service,
|
||||
# since the timer starts it.
|
||||
systemctl enable letsencrypt.timer
|
||||
systemctl start letsencrypt.timer
|
||||
|
||||
|
||||
Development: Getting started
|
||||
-----------------------------
|
||||
|
||||
|
@ -314,9 +360,9 @@ other path in your home directory.
|
|||
|
||||
.. code:: bash
|
||||
|
||||
mkdir ~/projects/cerbot-haproxy/working
|
||||
mkdir ~/projects/cerbot-haproxy/working/config
|
||||
mkdir ~/projects/cerbot-haproxy/working/logs
|
||||
mkdir ~/projects/certbot-haproxy/working
|
||||
mkdir ~/projects/certbot-haproxy/working/config
|
||||
mkdir ~/projects/certbot-haproxy/working/logs
|
||||
cat <<EOF >> ~/.config/letsencrypt/cli.ini
|
||||
work-dir=~/projects/certbot-haproxy/working/
|
||||
logs-dir=~/projects/certbot-haproxy/working/logs/
|
||||
|
|
Reference in New Issue