Hello everyone
I think I made a mistake in my haproxy configuration and I don’t see how to modify it without interrupting the service.
I have a haproxy configured to forward the stream to multiple apache servers in my LAN. On the haproxy I have letsencrypt which updates SSL certificates. And on Apache, I also have a running letencrypt (legacy…) . when there is a certificate update, some sites crash. So I would like to be sure that the connection is encrypted from haproxy to apache.
The haproxy refers to Apache 443. But I think I should have sent back to 08 and after on the Apaches, it goes to 443, but it wouldn’t be end-to-end encrypted. Could you tell me how to do it because I’m going in circles?
Here is my haproxy.cfg :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
########### STATS ###############################
listen stats
bind 192.168.0.206:8404
stats enable
stats uri /monitor
stats refresh 5s
stats auth admin:admin
########### FRONTEND ############################
frontend http-in
bind *:80
acl http ssl_fc,not
http-request redirect scheme https if http
frontend https-in
bind *:443 ssl crt-list /etc/haproxy/certs/domains_list.txt
option forwardfor
option forwardfor header X-Real-IP
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-back if letsencrypt-acl
####### ACL
## TEST
acl TEST_mysite_URL hdr_dom(host) -i mysite.mysdomain
use_backend TEST_mysite if { hdr(host) -i mysite.mysdomain }
backend TEST_mysite
mode http
server test 192.168.10.51:443 weight 1 maxconn 8192 check ssl verify none
and on my apache:
<VirtualHost 192.168.10.51:80>
ServerName mysite.mydomain
ServerAdmin tech@mysite.mydomain
RewriteEngine on
RewriteCond %{SERVER_NAME} =mysite.mydomain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 192.168.10.51:443>
ServerName mysite.mydomain
ServerAdmin tech@mysite.mydomain
ErrorLog /var/log/apache2/mysite.mydomain/error.log
CustomLog /var/log/apache2/mysite.mydomain/access.log combined
<Proxy *>
Order deny,allow
Allow from All
</Proxy>
DocumentRoot "/var/www/public/mysite-front"
<Directory "/var/www/public/mysite-front">
AllowOverride None
Order allow,deny
Allow from all
RewriteEngine on
RewriteBase /
RewriteRule ^../index\.html$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (..) $1/index.html [L]
RewriteCond %{HTTP:Accept-Language} ^fr [NC]
RewriteRule ^$ /fr/ [R]
RewriteCond %{HTTP:Accept-Language} ^de [NC]
RewriteRule ^$ /de/ [R]
RewriteCond %{HTTP:Accept-Language} !^fr [NC]
RewriteRule ^$ /en/ [R]
</Directory>
# API
ProxyPassMatch "^/v(\d)/(.*)" "http://localhost:8070/api/api-mysite.mydomain/v$1/$2"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mysite.mydomain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.mydomain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mysite.mydomain/fullchain.pem
</VirtualHost>
</IfModule>
1 post - 1 participant