Skip to navigation
Haproxy with multiple virtual SSL cert domains
18.05.23
# Working Example to use multiple domains with SSL certs, 3 files: ## example haproxy config file at /etc/haproxy/haproxy.cfg ```console File Edit Options Buffers Tools Conf Help global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305\ :ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend http-in bind *:80 #bind *:443 ssl crt /etc/ssl/ww2.myridia.com.pem bind *:443 ssl crt /etc/ssl/ww2.myridia.com.pem crt /etc/ssl/ww1.myridia.com.pem acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl acl host_my hdr(host) -i ww2.myridia.com use_backend my_cluster if host_my acl host_my hdr(host) -i ww1.myridia.com use_backend my_cluster if host_my backend my_cluster balance leastconn option httpclose option forwardfor server node1 10.3.0.3:80 check backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 #server n1 65.109.9.188:8031 ```` ## Bash script at /opt/updatecerts.sh ```console #!/bin/bash #0 1 * * * /opt/updatecerts.sh #certbot certonly -v --standalone -d ww1.myridia.com --non-interactive --agree-tos --email veto@myridia.com --http-01-port=8888 certbot renew #--force-renewwal cat /etc/letsencrypt/live/ww2.myridia.com/fullchain.pem /etc/letsencrypt/live/ww2.myridia.com/privkey.pem > /etc/ssl/ww2.myridia.com.pem cat /etc/letsencrypt/live/ww1.myridia.com/fullchain.pem /etc/letsencrypt/live/ww1.myridia.com/privkey.pem > /etc/ssl/ww1.myridia.com.pem service haproxy reload ``` ## Cron Job file /etc/cron.d/haproxy ```console SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 1 * * * root /opt/updatecerts.sh ```
https://devops.cisel.ch/lets-encrypt-on-haproxy
Reply
Anonymous
Information Epoch 1742213574
Think hierarchically.
Home
Notebook
Contact us
