2017-08-15 18:31:36 +02:00
|
|
|
.. _full_server_setup
|
2017-08-15 18:25:16 +02:00
|
|
|
Full server setup
|
|
|
|
=================
|
|
|
|
|
|
|
|
This document describes how to set up a server running HAProxy with certbot and
|
|
|
|
the certbot-haproxy plugin. The installation below assumes you are running
|
|
|
|
Debian Jessie but it should be almost entirely the same process on Ubuntu.
|
|
|
|
|
|
|
|
First add the backports repo for Jessie to your apt sources.
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
This will not work for Ubuntu, you will need to use another source,
|
|
|
|
check which version comes with your version of Ubuntu, if it is a version
|
|
|
|
below 0.8, you need to find a back port PPA or download certbot from source.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
echo "deb http://ftp.debian.org/debian jessie-backports main" >> \
|
|
|
|
/etc/apt/sources.list.d/jessie-backports.list
|
|
|
|
|
|
|
|
Now update, upgrade and install some requirements:
|
|
|
|
|
|
|
|
- **Some utilities:** ``sudo`` ``tcpdump`` ``ufw`` ``git`` ``curl`` ``wget``
|
|
|
|
- **OpenSSL and CA certificates:** ``openssl`` ``ca-certificates``
|
|
|
|
- **Build dependencies:** ``build-essential`` ``libffi-dev`` ``libssl-dev`` ``python-dev``
|
|
|
|
- **Python and related:** ``python`` ``python-setuptools``
|
|
|
|
- **HAProxy:** ``haproxy``
|
|
|
|
- **Python dependency managing:** ``pip``
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
apt-get update
|
|
|
|
apt-get upgrade -y
|
|
|
|
apt-get install -y \
|
|
|
|
sudo tcpdump ufw git curl wget \
|
|
|
|
openssl ca-certificates \
|
|
|
|
build-essential libffi-dev libssl-dev python-dev \
|
|
|
|
python python-setuptools \
|
|
|
|
haproxy
|
|
|
|
|
|
|
|
easy_install pip
|
|
|
|
pip install --upgrade setuptools
|
|
|
|
|
|
|
|
We also installed a simple firewall above, but it is not yet configured, let's
|
|
|
|
do that now:
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
ufw allow ssh
|
|
|
|
ufw allow http
|
|
|
|
ufw allow https
|
|
|
|
ufw default deny incoming
|
|
|
|
ufw --force enable
|
|
|
|
|
|
|
|
.. warning::
|
|
|
|
|
|
|
|
You probably want a little more protection for a production proxy
|
|
|
|
than just this simple firewall, but it's out of the scope of this readme.
|
|
|
|
|
|
|
|
Now that we have all dependencies, it's time to start a process that may take
|
|
|
|
quite some time to complete. HAProxy comes with a DH parameters file that is
|
|
|
|
considered weak. We need to generate a new dhparams.pem file with a prime of at
|
|
|
|
least ``2048`` bit length, you can also opt for ``3072`` or ``4096``. This can
|
|
|
|
take hours on lower specification hardware, but will still take minutes on
|
|
|
|
faster hardware, especially with ``4096`` bit primes. Run this is in a separate
|
|
|
|
ssh session or use ``screen`` of ``tmux`` to allow this to run in the
|
|
|
|
background.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
openssl dhparam -out /opt/certbot/dhparams.pem 2048
|
|
|
|
|
|
|
|
Now set a hostname.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
echo "[INSERT YOUR HOSTNAME HERE]" > /etc/hostname
|
|
|
|
hostname -F /etc/hostname
|
|
|
|
|
|
|
|
Run as unprivileged user
|
|
|
|
++++++++++++++++++++++++
|
|
|
|
|
|
|
|
If you want to run Certbot in an unprivileged mode, keep reading, otherwise,
|
|
|
|
skip to the installation of Certbot.
|
|
|
|
|
|
|
|
Certbot normally requires access to the ``/etc/`` directory, which is owned by
|
|
|
|
root and therefore, Certbot needs to run as root. However, we don't like it
|
|
|
|
when processes run as root, most especially when they are opening ports on a
|
|
|
|
public network interface..
|
|
|
|
|
|
|
|
In order to let Certbot run as an unprivileged user, we will:
|
|
|
|
|
|
|
|
- Create a ``certbot`` user with a home directory on the system so the
|
|
|
|
automatic renewal of certificates can be run by this user.
|
|
|
|
- Tell Certbot that the working directories are located in ``certbot``'s home
|
|
|
|
directory.
|
|
|
|
- Optionally: add your own user account to the Certbot user's group so you can
|
|
|
|
run Certbot manually.
|
|
|
|
- Allow HAProxy to access the certificates that are generated by Certbot.
|
|
|
|
- Allow the certbot user to restart the HAProxy server.
|
|
|
|
|
|
|
|
Lastly, to do automatic renewal of certificates, we will create a systemd timer
|
|
|
|
and a service to start at every boot and every 12 hours, at a random time off
|
|
|
|
the day, in order to not collectively DDOS Let's Encrypts service.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
useradd -s /bin/bash -m -d /opt/certbot certbot
|
|
|
|
usermod -a -G certbot haproxy # Allow HAProxy access to the certbot certs
|
|
|
|
mkdir -p /opt/certbot/logs
|
|
|
|
mkdir -p /opt/certbot/config
|
|
|
|
mkdir -p /opt/certbot/.config/letsencrypt
|
|
|
|
|
|
|
|
If you need to use Certbot from your user account, or if you have a daemon
|
|
|
|
running on your proxy server, that configures domains on your proxy, e.g.: in a
|
|
|
|
web hosting environment - you can add those users to the ``certbot`` group.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
usermod -a -G certbot [ADD YOUR USER HERE]
|
|
|
|
|
|
|
|
You will also need to tell your user what the working directory of your Certbot
|
|
|
|
setup is (``/opt/certbot/``). Certbot allows you to create a configuration file
|
|
|
|
with default settings in the users' home dir:
|
|
|
|
``opt/certbot/.config/letsencrypt/cli.ini``.
|
|
|
|
|
|
|
|
Besides the working directory.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
mkdir -p /opt/certbot/.config/letsencrypt
|
|
|
|
cat <<EOF > /opt/certbot/.config/letsencrypt/cli.ini
|
|
|
|
work-dir=/opt/certbot/
|
|
|
|
logs-dir=/opt/certbot/logs/
|
|
|
|
config-dir=/opt/certbot/config
|
|
|
|
EOF
|
|
|
|
|
|
|
|
Next time you run Certbot, it will use our new working directory.
|
|
|
|
|
|
|
|
Now to allow the certbot user to restart HAProxy, put the following in the
|
|
|
|
sudoers file:
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
cat <<EOF >> /etc/sudoers
|
|
|
|
%certbot ALL=NOPASSWD: /bin/systemctl restart haproxy
|
|
|
|
EOF
|
|
|
|
|
|
|
|
Installing certbot-haproxy
|
|
|
|
++++++++++++++++++++++++++
|
|
|
|
|
|
|
|
Now we haven't done one very essential thing yet, install ``certbot-haproxy``.
|
|
|
|
Since our plugin is in an alpha stage, we did not package it yet. You will need
|
|
|
|
to get it from our Gitlab server.
|
|
|
|
|
|
|
|
.. code:: bash
|
|
|
|
|
|
|
|
git clone https://code.greenhost.net/open/certbot-haproxy.git
|
|
|
|
cd ./certbot-haproxy/
|
|
|
|
sudo pip install ./
|
|
|
|
|
2017-08-15 18:31:36 +02:00
|
|
|
Continue reading `</README.rst>`_ after the quick installation instructions, at
|
2017-08-15 18:25:16 +02:00
|
|
|
:ref:`haproxy_config`
|