do certbot & ssl termination
parent
449417e91d
commit
da91fb7e66
|
@ -1,5 +1,12 @@
|
||||||
## For haproxy 2.2 COPY TO /etc/haproxy/haproxy.cfg
|
## For haproxy 2.2 COPY TO /etc/haproxy/haproxy.cfg
|
||||||
## Do https://unix.stackexchange.com/a/538901 to fix network-online.target on debian w/ /etc/intefaces
|
## Do https://unix.stackexchange.com/a/538901 to fix network-online.target on debian w/ /etc/intefaces
|
||||||
|
## certbot setup:
|
||||||
|
## - https://certbot.eff.org/lets-encrypt/debianbuster-haproxy
|
||||||
|
## - Add "0 0 1 * * systemctl stop haproxy && certbot renew && systemctl start haproxy && cat /etc/letsencrypt/live/seaturtle.pw/{cert,privkey}.pem > /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem" to root crontab
|
||||||
|
## - (Default systemd timer does not have option to stop haproxy before running)
|
||||||
|
## Ensure microk8s only exposes nodeport on 127.0.0.1:
|
||||||
|
## - Edit /var/snap/microk8s/current/args/kube-proxy, adding "--nodeport-addresses=127.0.0.1/8"
|
||||||
|
|
||||||
|
|
||||||
defaults
|
defaults
|
||||||
log global
|
log global
|
||||||
|
@ -11,25 +18,34 @@ defaults
|
||||||
timeout client 50000
|
timeout client 50000
|
||||||
timeout server 50000
|
timeout server 50000
|
||||||
|
|
||||||
listen proxy80
|
frontend http-in
|
||||||
mode tcp
|
mode http
|
||||||
bind 10.42.0.203:80
|
bind :::80
|
||||||
bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:80
|
redirect scheme https
|
||||||
server ipv4server30080 10.42.0.203:30080
|
|
||||||
|
|
||||||
listen proxy443
|
frontend https-in
|
||||||
mode tcp
|
mode http
|
||||||
bind 10.42.0.203:443
|
option forwardfor
|
||||||
bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:443
|
bind :::443 ssl crt /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem ssl-min-ver TLSv1.2
|
||||||
server ipv4server30443 10.42.0.203:30443
|
acl server1 hdr(host) -i airsonic.seaturtle.pw
|
||||||
|
acl server1 hdr(host) -i git.seaturtle.pw
|
||||||
|
acl server1 hdr(host) -i nc.seaturtle.pw
|
||||||
|
acl server1 hdr(host) -i paul.walko.org
|
||||||
|
acl server1 hdr(host) -i plex.seaturtle.pw
|
||||||
|
acl server1 hdr(host) -i seaturtle.pw
|
||||||
|
use_backend server1 if server1
|
||||||
|
|
||||||
|
backend server1
|
||||||
|
mode http
|
||||||
|
option forwardfor
|
||||||
|
server server1 127.0.0.1:30080
|
||||||
|
|
||||||
listen proxy37122
|
listen proxy37122
|
||||||
mode tcp
|
mode tcp
|
||||||
bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:37122
|
bind :::37122
|
||||||
server ipv4server30122 10.42.0.203:30122
|
server ipv4server30122 127.0.0.1:30122
|
||||||
|
|
||||||
listen proxy25565
|
listen proxy25565
|
||||||
mode tcp
|
mode tcp
|
||||||
bind 10.42.0.203:25565
|
bind :::25565
|
||||||
bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:25565
|
server ipv4server30565 127.0.0.1:30565
|
||||||
server ipv4server30565 10.42.0.203:30565
|
|
||||||
|
|
Loading…
Reference in New Issue