Apache hosting node and haproxy forwarding configuration completed, /.well-known gets forwarded to another port.
This commit is contained in:
parent
5311330026
commit
844c191809
|
@ -52,7 +52,7 @@ do_sudo () {
|
|||
sudo ls &> /dev/null
|
||||
SUDO=1
|
||||
fi
|
||||
sudo bash -c "$1"
|
||||
sudo bash -c "$@"
|
||||
}
|
||||
|
||||
if ! commands_exist "${CMDS}"; then
|
||||
|
@ -70,6 +70,10 @@ for PLUGIN in "${VAGRANT_PLUGINS_REQUIRED[@]}"; do
|
|||
fi
|
||||
done
|
||||
|
||||
if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
|
||||
do_sudo "echo '192.168.33.222 testsite.nl' >> /etc/hosts"
|
||||
fi
|
||||
|
||||
log "Starting Boulder CA server instance.."
|
||||
if vagrant up boulder; then
|
||||
log "Starting LE HAProxy client vm.."
|
||||
|
|
|
@ -8,7 +8,8 @@ apt-get upgrade -y
|
|||
apt-get install -y \
|
||||
sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \
|
||||
openssl ca-certificates build-essential libffi-dev \
|
||||
python python-setuptools python-dev libssl-dev
|
||||
python python-setuptools python-dev libssl-dev apache2
|
||||
|
||||
apt-get install -y -t jessie-backports certbot
|
||||
|
||||
pip install --upgrade setuptools
|
||||
|
@ -19,6 +20,7 @@ pip install virtualenv
|
|||
ufw allow ssh
|
||||
ufw allow http
|
||||
ufw allow https
|
||||
ufw allow 8080
|
||||
ufw default deny incoming
|
||||
ufw --force enable
|
||||
|
||||
|
@ -37,6 +39,7 @@ ${PROJECT_SERVER_IP} le1.wtf
|
|||
${PROJECT_SERVER_IP} le2.wtf
|
||||
${PROJECT_SERVER_IP} le3.wtf
|
||||
${PROJECT_SERVER_IP} nginx.wtf
|
||||
${PROJECT_SERVER_IP} testsite.nl
|
||||
EOF
|
||||
|
||||
mkdir -p "/${PROJECT_NAME}/working/logs"
|
||||
|
@ -74,6 +77,107 @@ alias la='ls -A'
|
|||
alias l='ls -CF'
|
||||
EOF
|
||||
|
||||
# Allow haproxy to read the dirs of the le plugin
|
||||
# TODO: Does this even work with the `chroot` directive?
|
||||
usermod -a -G vagrant haproxy
|
||||
|
||||
cat <<EOF > /etc/haproxy/haproxy.cfg
|
||||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
chroot /var/lib/haproxy
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# Default ciphers to use on SSL-enabled listening sockets.
|
||||
# Cipher suites chosen by following logic:
|
||||
# - Bits of security 128>256 (weighing performance vs added security)
|
||||
# - Key exchange: EECDH>DHE (faster first)
|
||||
# - Mode: GCM>CBC (streaming cipher over block cipher)
|
||||
# - Ephemeral: All use ephemeral key exchanges
|
||||
# - Explicitly disable weak ciphers and SSLv3
|
||||
ssl-default-bind-ciphers AES128+AESGCM+EECDH:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!SHA:!MD5:!RC4:!DES:!DSS
|
||||
ssl-default-bind-options no-sslv3
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
frontend http-in
|
||||
bind *:80
|
||||
mode http
|
||||
# LE HAProxy installer should combine certs and place them here..
|
||||
# Uncomment when ready.. Needs ACL to work per site.
|
||||
# bind *:443 ssl crt /lehaproxy/working/certs/
|
||||
|
||||
acl is_letsencrypt path_beg -i /.well-known/acme-challenge
|
||||
use_backend letsencrypt if is_letsencrypt
|
||||
|
||||
# IF redirect is to be used, uncomment the next line
|
||||
# redirect scheme https if !{ ssl_fc } and testsite.nl
|
||||
default_backend nodes
|
||||
|
||||
backend letsencrypt
|
||||
log global
|
||||
mode http
|
||||
server letsencrypt 127.0.0.1:8000
|
||||
|
||||
backend nodes
|
||||
log global
|
||||
mode http
|
||||
option tcplog
|
||||
balance roundrobin
|
||||
option forwardfor
|
||||
option http-server-close
|
||||
option httpclose
|
||||
http-request set-header X-Forwarded-Port %[dst_port]
|
||||
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
|
||||
server node1 127.0.0.1:8080 check
|
||||
server node2 127.0.0.1:8080 check
|
||||
server node3 127.0.0.1:8080 check
|
||||
server node4 127.0.0.1:8080 check
|
||||
EOF
|
||||
cat <<EOF > /etc/apache2/sites-enabled/000-default.conf
|
||||
<VirtualHost testsite.nl:8080>
|
||||
ServerName testsite.nl
|
||||
|
||||
ServerAdmin webmaster@localhost
|
||||
DocumentRoot /var/www/html
|
||||
|
||||
LogLevel error
|
||||
|
||||
ErrorLog \${APACHE_LOG_DIR}/error.log
|
||||
CustomLog \${APACHE_LOG_DIR}/access.log combined
|
||||
</VirtualHost>
|
||||
EOF
|
||||
|
||||
cat <<EOF > /etc/apache2/ports.conf
|
||||
Listen 8080
|
||||
EOF
|
||||
|
||||
systemctl restart apache2
|
||||
systemctl restart haproxy
|
||||
|
||||
#cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
||||
#[Unit]
|
||||
#Description=Run Let's Encrypt every 12 hours
|
||||
|
|
|
@ -30,6 +30,15 @@ fi
|
|||
if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
|
||||
echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
|
||||
fi
|
||||
if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
|
||||
echo '192.168.33.222 testsite.nl' >> /etc/hosts
|
||||
fi
|
||||
|
||||
cat <<EOF >> /root/.bashrc
|
||||
alias ll='ls -lah'
|
||||
alias la='ls -A'
|
||||
alias l='ls -CF'
|
||||
EOF
|
||||
|
||||
source ~/.variables
|
||||
|
||||
|
|
Reference in New Issue