Apache hosting node and haproxy forwarding configuration completed, /.well-known gets forwarded to another port.

dev_start.sh

@@ -52,7 +52,7 @@ do_sudo () {
         sudo ls &> /dev/null
         SUDO=1
     fi
-    sudo bash -c "$1"
+    sudo bash -c "$@"
 }
 
 if ! commands_exist "${CMDS}"; then
@@ -70,6 +70,10 @@ for PLUGIN in "${VAGRANT_PLUGINS_REQUIRED[@]}"; do
     fi
 done
 
+if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
+  do_sudo "echo '192.168.33.222 testsite.nl' >> /etc/hosts"
+fi
+
 log "Starting Boulder CA server instance.."
 if vagrant up boulder; then
     log "Starting LE HAProxy client vm.."

provisioning_client.sh

@@ -8,7 +8,8 @@ apt-get upgrade -y
 apt-get install -y \
     sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \
     openssl ca-certificates build-essential libffi-dev \
-    python python-setuptools python-dev libssl-dev
+    python python-setuptools python-dev libssl-dev apache2
+
 apt-get install -y -t jessie-backports certbot
 
 pip install --upgrade setuptools
@@ -19,6 +20,7 @@ pip install virtualenv
 ufw allow ssh
 ufw allow http
 ufw allow https
+ufw allow 8080
 ufw default deny incoming
 ufw --force enable
 
@@ -37,6 +39,7 @@ ${PROJECT_SERVER_IP}   le1.wtf
 ${PROJECT_SERVER_IP}   le2.wtf
 ${PROJECT_SERVER_IP}   le3.wtf
 ${PROJECT_SERVER_IP}   nginx.wtf
+${PROJECT_SERVER_IP}   testsite.nl
 EOF
 
 mkdir -p "/${PROJECT_NAME}/working/logs"
@@ -74,6 +77,107 @@ alias la='ls -A'
 alias l='ls -CF'
 EOF
 
+# Allow haproxy to read the dirs of the le plugin
+# TODO: Does this even work with the `chroot` directive?
+usermod -a -G vagrant haproxy
+
+cat <<EOF > /etc/haproxy/haproxy.cfg
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # Cipher suites chosen by following logic:
+        #  - Bits of security 128>256 (weighing performance vs added security)
+        #  - Key exchange: EECDH>DHE (faster first)
+        #  - Mode: GCM>CBC (streaming cipher over block cipher)
+        #  - Ephemeral: All use ephemeral key exchanges
+        #  - Explicitly disable weak ciphers and SSLv3
+        ssl-default-bind-ciphers AES128+AESGCM+EECDH:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!SHA:!MD5:!RC4:!DES:!DSS
+        ssl-default-bind-options no-sslv3
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+frontend http-in
+    bind *:80
+    mode http
+    # LE HAProxy installer should combine certs and place them here..
+    # Uncomment when ready.. Needs ACL to work per site.
+    # bind *:443 ssl crt /lehaproxy/working/certs/
+
+    acl is_letsencrypt path_beg -i /.well-known/acme-challenge
+    use_backend letsencrypt if is_letsencrypt
+
+    # IF redirect is to be used, uncomment the next line
+    # redirect scheme https if !{ ssl_fc } and testsite.nl
+    default_backend nodes
+
+backend letsencrypt
+    log global
+    mode http
+    server letsencrypt 127.0.0.1:8000
+
+backend nodes
+    log global
+    mode http
+    option tcplog
+    balance roundrobin
+    option forwardfor
+    option http-server-close
+    option httpclose
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto https if { ssl_fc }
+    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
+    server node1 127.0.0.1:8080 check
+    server node2 127.0.0.1:8080 check
+    server node3 127.0.0.1:8080 check
+    server node4 127.0.0.1:8080 check
+EOF
+cat <<EOF > /etc/apache2/sites-enabled/000-default.conf
+<VirtualHost testsite.nl:8080>
+        ServerName testsite.nl
+
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+
+        LogLevel error
+
+        ErrorLog \${APACHE_LOG_DIR}/error.log
+        CustomLog \${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+EOF
+
+cat <<EOF > /etc/apache2/ports.conf
+Listen 8080
+EOF
+
+systemctl restart apache2
+systemctl restart haproxy
+
 #cat <<EOF > /etc/systemd/system/letsencrypt.timer
 #[Unit]
 #Description=Run Let's Encrypt every 12 hours

provisioning_server.sh

@@ -30,6 +30,15 @@ fi
 if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
   echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
 fi
+if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
+  echo '192.168.33.222 testsite.nl' >> /etc/hosts
+fi
+
+cat <<EOF >> /root/.bashrc
+alias ll='ls -lah'
+alias la='ls -A'
+alias l='ls -CF'
+EOF
 
 source ~/.variables