Apache hosting node and haproxy forwarding configuration completed, /.well-known gets forwarded to another port.
This commit is contained in:
parent
5311330026
commit
844c191809
|
@ -52,7 +52,7 @@ do_sudo () {
|
||||||
sudo ls &> /dev/null
|
sudo ls &> /dev/null
|
||||||
SUDO=1
|
SUDO=1
|
||||||
fi
|
fi
|
||||||
sudo bash -c "$1"
|
sudo bash -c "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
if ! commands_exist "${CMDS}"; then
|
if ! commands_exist "${CMDS}"; then
|
||||||
|
@ -70,6 +70,10 @@ for PLUGIN in "${VAGRANT_PLUGINS_REQUIRED[@]}"; do
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
|
||||||
|
do_sudo "echo '192.168.33.222 testsite.nl' >> /etc/hosts"
|
||||||
|
fi
|
||||||
|
|
||||||
log "Starting Boulder CA server instance.."
|
log "Starting Boulder CA server instance.."
|
||||||
if vagrant up boulder; then
|
if vagrant up boulder; then
|
||||||
log "Starting LE HAProxy client vm.."
|
log "Starting LE HAProxy client vm.."
|
||||||
|
|
|
@ -8,7 +8,8 @@ apt-get upgrade -y
|
||||||
apt-get install -y \
|
apt-get install -y \
|
||||||
sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \
|
sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \
|
||||||
openssl ca-certificates build-essential libffi-dev \
|
openssl ca-certificates build-essential libffi-dev \
|
||||||
python python-setuptools python-dev libssl-dev
|
python python-setuptools python-dev libssl-dev apache2
|
||||||
|
|
||||||
apt-get install -y -t jessie-backports certbot
|
apt-get install -y -t jessie-backports certbot
|
||||||
|
|
||||||
pip install --upgrade setuptools
|
pip install --upgrade setuptools
|
||||||
|
@ -19,6 +20,7 @@ pip install virtualenv
|
||||||
ufw allow ssh
|
ufw allow ssh
|
||||||
ufw allow http
|
ufw allow http
|
||||||
ufw allow https
|
ufw allow https
|
||||||
|
ufw allow 8080
|
||||||
ufw default deny incoming
|
ufw default deny incoming
|
||||||
ufw --force enable
|
ufw --force enable
|
||||||
|
|
||||||
|
@ -37,6 +39,7 @@ ${PROJECT_SERVER_IP} le1.wtf
|
||||||
${PROJECT_SERVER_IP} le2.wtf
|
${PROJECT_SERVER_IP} le2.wtf
|
||||||
${PROJECT_SERVER_IP} le3.wtf
|
${PROJECT_SERVER_IP} le3.wtf
|
||||||
${PROJECT_SERVER_IP} nginx.wtf
|
${PROJECT_SERVER_IP} nginx.wtf
|
||||||
|
${PROJECT_SERVER_IP} testsite.nl
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
mkdir -p "/${PROJECT_NAME}/working/logs"
|
mkdir -p "/${PROJECT_NAME}/working/logs"
|
||||||
|
@ -74,6 +77,107 @@ alias la='ls -A'
|
||||||
alias l='ls -CF'
|
alias l='ls -CF'
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# Allow haproxy to read the dirs of the le plugin
|
||||||
|
# TODO: Does this even work with the `chroot` directive?
|
||||||
|
usermod -a -G vagrant haproxy
|
||||||
|
|
||||||
|
cat <<EOF > /etc/haproxy/haproxy.cfg
|
||||||
|
global
|
||||||
|
log /dev/log local0
|
||||||
|
log /dev/log local1 notice
|
||||||
|
chroot /var/lib/haproxy
|
||||||
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
||||||
|
stats timeout 30s
|
||||||
|
user haproxy
|
||||||
|
group haproxy
|
||||||
|
daemon
|
||||||
|
|
||||||
|
# Default SSL material locations
|
||||||
|
ca-base /etc/ssl/certs
|
||||||
|
crt-base /etc/ssl/private
|
||||||
|
|
||||||
|
# Default ciphers to use on SSL-enabled listening sockets.
|
||||||
|
# Cipher suites chosen by following logic:
|
||||||
|
# - Bits of security 128>256 (weighing performance vs added security)
|
||||||
|
# - Key exchange: EECDH>DHE (faster first)
|
||||||
|
# - Mode: GCM>CBC (streaming cipher over block cipher)
|
||||||
|
# - Ephemeral: All use ephemeral key exchanges
|
||||||
|
# - Explicitly disable weak ciphers and SSLv3
|
||||||
|
ssl-default-bind-ciphers AES128+AESGCM+EECDH:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!SHA:!MD5:!RC4:!DES:!DSS
|
||||||
|
ssl-default-bind-options no-sslv3
|
||||||
|
|
||||||
|
defaults
|
||||||
|
log global
|
||||||
|
mode http
|
||||||
|
option httplog
|
||||||
|
option dontlognull
|
||||||
|
timeout connect 5000
|
||||||
|
timeout client 50000
|
||||||
|
timeout server 50000
|
||||||
|
errorfile 400 /etc/haproxy/errors/400.http
|
||||||
|
errorfile 403 /etc/haproxy/errors/403.http
|
||||||
|
errorfile 408 /etc/haproxy/errors/408.http
|
||||||
|
errorfile 500 /etc/haproxy/errors/500.http
|
||||||
|
errorfile 502 /etc/haproxy/errors/502.http
|
||||||
|
errorfile 503 /etc/haproxy/errors/503.http
|
||||||
|
errorfile 504 /etc/haproxy/errors/504.http
|
||||||
|
|
||||||
|
frontend http-in
|
||||||
|
bind *:80
|
||||||
|
mode http
|
||||||
|
# LE HAProxy installer should combine certs and place them here..
|
||||||
|
# Uncomment when ready.. Needs ACL to work per site.
|
||||||
|
# bind *:443 ssl crt /lehaproxy/working/certs/
|
||||||
|
|
||||||
|
acl is_letsencrypt path_beg -i /.well-known/acme-challenge
|
||||||
|
use_backend letsencrypt if is_letsencrypt
|
||||||
|
|
||||||
|
# IF redirect is to be used, uncomment the next line
|
||||||
|
# redirect scheme https if !{ ssl_fc } and testsite.nl
|
||||||
|
default_backend nodes
|
||||||
|
|
||||||
|
backend letsencrypt
|
||||||
|
log global
|
||||||
|
mode http
|
||||||
|
server letsencrypt 127.0.0.1:8000
|
||||||
|
|
||||||
|
backend nodes
|
||||||
|
log global
|
||||||
|
mode http
|
||||||
|
option tcplog
|
||||||
|
balance roundrobin
|
||||||
|
option forwardfor
|
||||||
|
option http-server-close
|
||||||
|
option httpclose
|
||||||
|
http-request set-header X-Forwarded-Port %[dst_port]
|
||||||
|
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||||
|
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
|
||||||
|
server node1 127.0.0.1:8080 check
|
||||||
|
server node2 127.0.0.1:8080 check
|
||||||
|
server node3 127.0.0.1:8080 check
|
||||||
|
server node4 127.0.0.1:8080 check
|
||||||
|
EOF
|
||||||
|
cat <<EOF > /etc/apache2/sites-enabled/000-default.conf
|
||||||
|
<VirtualHost testsite.nl:8080>
|
||||||
|
ServerName testsite.nl
|
||||||
|
|
||||||
|
ServerAdmin webmaster@localhost
|
||||||
|
DocumentRoot /var/www/html
|
||||||
|
|
||||||
|
LogLevel error
|
||||||
|
|
||||||
|
ErrorLog \${APACHE_LOG_DIR}/error.log
|
||||||
|
CustomLog \${APACHE_LOG_DIR}/access.log combined
|
||||||
|
</VirtualHost>
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<EOF > /etc/apache2/ports.conf
|
||||||
|
Listen 8080
|
||||||
|
EOF
|
||||||
|
|
||||||
|
systemctl restart apache2
|
||||||
|
systemctl restart haproxy
|
||||||
|
|
||||||
#cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
#cat <<EOF > /etc/systemd/system/letsencrypt.timer
|
||||||
#[Unit]
|
#[Unit]
|
||||||
#Description=Run Let's Encrypt every 12 hours
|
#Description=Run Let's Encrypt every 12 hours
|
||||||
|
|
|
@ -30,6 +30,15 @@ fi
|
||||||
if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
|
if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
|
||||||
echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
|
echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
|
||||||
fi
|
fi
|
||||||
|
if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
|
||||||
|
echo '192.168.33.222 testsite.nl' >> /etc/hosts
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<EOF >> /root/.bashrc
|
||||||
|
alias ll='ls -lah'
|
||||||
|
alias la='ls -A'
|
||||||
|
alias l='ls -CF'
|
||||||
|
EOF
|
||||||
|
|
||||||
source ~/.variables
|
source ~/.variables
|
||||||
|
|
||||||
|
|
Reference in New Issue