Show Posts
1
Tutorials and FAQs / Re: Tutorial 2021/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: October 27, 2021, 12:37:59 am »
Hi everyone
First of all.. Awesome guide and even so, that you update it with new stuff as it comes along.
Iv been kinda hitting my head for a day or two now and gotta throw in the towel, and put my troubles in here.
im running a small test setup, where im gonna have a couple of web services running, but the thing is here, they are running traefik with there own LE ssl validation and so. but i cant get HAproxy to work propper.
My config looking like this:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend ()
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:8888 name 0.0.0.0:8888
mode tcp
default_backend SSL_Backend
# tuning options
timeout client 30s
# logging options
option tcplog
# ACTION: Public_Domain_Map_Rule_2
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6178606dd3b431.48344137.txt)]
# ACTION: Public_Domain_Map_Rule_3
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6178704b1d59f6.07557436.txt)]
# Frontend: 1_Http_Frontend ()
frontend 1_Http_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: NoSSL_Condition
acl acl_61781026415d99.64392811 req.ssl_ver gt 0
# ACTION: HttpToHttps_Rule
http-request redirect scheme https code 301 if !acl_61781026415d99.64392811
# Frontend: 1_Https_Frontend ()
frontend 1_Https_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
option httplog
# ACTION: Public_Domain_Map_Rule_1
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/617812015049f9.00974692.txt)]
# Backend: SSL_Backend (Loopback)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: Central_OpenSense_FW_Backend (OpenSense Firewal)
backend Central_OpenSense_FW_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Central_OpenSense_FW_SRV 10.10.5.2:55443 ssl verify none
# Backend: FRCD_Backend (domain1.com)
backend FRCD_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server DMZ_domain1_SRV 10.10.20.40:443 ssl alpn h2,http/1.1,http/1.0 verify none
# Backend: FRCD_2_Backend (domain2:8888)
backend FRCD_2_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server DMZ_domain2_SRV 10.10.20.41:8888
Best regrads
First of all.. Awesome guide and even so, that you update it with new stuff as it comes along.
Iv been kinda hitting my head for a day or two now and gotta throw in the towel, and put my troubles in here.
im running a small test setup, where im gonna have a couple of web services running, but the thing is here, they are running traefik with there own LE ssl validation and so. but i cant get HAproxy to work propper.
My config looking like this:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend ()
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:8888 name 0.0.0.0:8888
mode tcp
default_backend SSL_Backend
# tuning options
timeout client 30s
# logging options
option tcplog
# ACTION: Public_Domain_Map_Rule_2
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6178606dd3b431.48344137.txt)]
# ACTION: Public_Domain_Map_Rule_3
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6178704b1d59f6.07557436.txt)]
# Frontend: 1_Http_Frontend ()
frontend 1_Http_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: NoSSL_Condition
acl acl_61781026415d99.64392811 req.ssl_ver gt 0
# ACTION: HttpToHttps_Rule
http-request redirect scheme https code 301 if !acl_61781026415d99.64392811
# Frontend: 1_Https_Frontend ()
frontend 1_Https_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
option httplog
# ACTION: Public_Domain_Map_Rule_1
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/617812015049f9.00974692.txt)]
# Backend: SSL_Backend (Loopback)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: Central_OpenSense_FW_Backend (OpenSense Firewal)
backend Central_OpenSense_FW_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Central_OpenSense_FW_SRV 10.10.5.2:55443 ssl verify none
# Backend: FRCD_Backend (domain1.com)
backend FRCD_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server DMZ_domain1_SRV 10.10.20.40:443 ssl alpn h2,http/1.1,http/1.0 verify none
# Backend: FRCD_2_Backend (domain2:8888)
backend FRCD_2_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server DMZ_domain2_SRV 10.10.20.41:8888
Best regrads