entrouvert
/
certbot-haproxy
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Apache hosting node and haproxy forwarding configuration completed, /.well-known gets forwarded to another port.

This commit is contained in:
Chris Snijder 2016-08-11 17:02:16 +02:00
parent 5311330026
commit 844c191809
3 changed files with 119 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
dev_start.sh
View File

@ -52,7 +52,7 @@ do_sudo () {
sudo ls &> /dev/null sudo ls &> /dev/null
SUDO=1 SUDO=1
fi fi
sudo bash -c "$1" sudo bash -c "$@"
} }
if ! commands_exist "${CMDS}"; then if ! commands_exist "${CMDS}"; then
@ -70,6 +70,10 @@ for PLUGIN in "${VAGRANT_PLUGINS_REQUIRED[@]}"; do
fi fi
done done
if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
do_sudo "echo '192.168.33.222 testsite.nl' >> /etc/hosts"
fi
log "Starting Boulder CA server instance.." log "Starting Boulder CA server instance.."
if vagrant up boulder; then if vagrant up boulder; then
log "Starting LE HAProxy client vm.." log "Starting LE HAProxy client vm.."

106
provisioning_client.sh
View File

@ -8,7 +8,8 @@ apt-get upgrade -y
apt-get install -y \ apt-get install -y \
sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \ sudo htop net-tools tcpdump ufw git haproxy tmux watch curl wget \
openssl ca-certificates build-essential libffi-dev \ openssl ca-certificates build-essential libffi-dev \
python python-setuptools python-dev libssl-dev python python-setuptools python-dev libssl-dev apache2
apt-get install -y -t jessie-backports certbot apt-get install -y -t jessie-backports certbot
pip install --upgrade setuptools pip install --upgrade setuptools
@ -19,6 +20,7 @@ pip install virtualenv
ufw allow ssh ufw allow ssh
ufw allow http ufw allow http
ufw allow https ufw allow https
ufw allow 8080
ufw default deny incoming ufw default deny incoming
ufw --force enable ufw --force enable
@ -37,6 +39,7 @@ ${PROJECT_SERVER_IP} le1.wtf
${PROJECT_SERVER_IP} le2.wtf ${PROJECT_SERVER_IP} le2.wtf
${PROJECT_SERVER_IP} le3.wtf ${PROJECT_SERVER_IP} le3.wtf
${PROJECT_SERVER_IP} nginx.wtf ${PROJECT_SERVER_IP} nginx.wtf
${PROJECT_SERVER_IP} testsite.nl
EOF EOF
mkdir -p "/${PROJECT_NAME}/working/logs" mkdir -p "/${PROJECT_NAME}/working/logs"
@ -74,6 +77,107 @@ alias la='ls -A'
alias l='ls -CF' alias l='ls -CF'
EOF EOF
# Allow haproxy to read the dirs of the le plugin
# TODO: Does this even work with the `chroot` directive?
usermod -a -G vagrant haproxy
cat <<EOF > /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# Cipher suites chosen by following logic:
# - Bits of security 128>256 (weighing performance vs added security)
# - Key exchange: EECDH>DHE (faster first)
# - Mode: GCM>CBC (streaming cipher over block cipher)
# - Ephemeral: All use ephemeral key exchanges
# - Explicitly disable weak ciphers and SSLv3
ssl-default-bind-ciphers AES128+AESGCM+EECDH:AES128+EECDH:AES128+AESGCM+DHE:AES128+EDH:AES256+AESGCM+EECDH:AES256+EECDH:AES256+AESGCM+EDH:AES256+EDH:!SHA:!MD5:!RC4:!DES:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
mode http
# LE HAProxy installer should combine certs and place them here..
# Uncomment when ready.. Needs ACL to work per site.
# bind *:443 ssl crt /lehaproxy/working/certs/
acl is_letsencrypt path_beg -i /.well-known/acme-challenge
use_backend letsencrypt if is_letsencrypt
# IF redirect is to be used, uncomment the next line
# redirect scheme https if !{ ssl_fc } and testsite.nl
default_backend nodes
backend letsencrypt
log global
mode http
server letsencrypt 127.0.0.1:8000
backend nodes
log global
mode http
option tcplog
balance roundrobin
option forwardfor
option http-server-close
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server node1 127.0.0.1:8080 check
server node2 127.0.0.1:8080 check
server node3 127.0.0.1:8080 check
server node4 127.0.0.1:8080 check
EOF
cat <<EOF > /etc/apache2/sites-enabled/000-default.conf
<VirtualHost testsite.nl:8080>
ServerName testsite.nl
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogLevel error
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
EOF
cat <<EOF > /etc/apache2/ports.conf
Listen 8080
EOF
systemctl restart apache2
systemctl restart haproxy
#cat <<EOF > /etc/systemd/system/letsencrypt.timer #cat <<EOF > /etc/systemd/system/letsencrypt.timer
#[Unit] #[Unit]
#Description=Run Let's Encrypt every 12 hours #Description=Run Let's Encrypt every 12 hours

9
provisioning_server.sh
View File

@ -30,6 +30,15 @@ fi
if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then if ! grep -Fxq "127.0.0.1 boulder boulder-rabbitmq boulder-mysql" /etc/hosts; then
echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts echo '127.0.0.1 boulder boulder-rabbitmq boulder-mysql' >> /etc/hosts
fi fi
if ! grep -Fxq "192.168.33.222 testsite.nl" /etc/hosts; then
echo '192.168.33.222 testsite.nl' >> /etc/hosts
fi
cat <<EOF >> /root/.bashrc
alias ll='ls -lah'
alias la='ls -A'
alias l='ls -CF'
EOF
source ~/.variables source ~/.variables