asquelt/haproxy.sh

## haproxy.sh
#!/bin/bash

# If haproxy is installed this hook will assemble certificates
# in HAPROXY_DIR so that they can be used for SSL termination.
#
# Suggested configuration (/etc/haproxy/haproxy.cfg):
#
# global
#   ssl-default-bind-options no-sslv3 no-tls-tickets
#   tune.ssl.default-dh-param 2048
#   ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#
# frontend https
#   bind :80
#   bind :443 ssl crt /etc/haproxy/acme_certs
#
# [...]
#
# References:
#   https://wiki.mozilla.org/Security/Server_Side_TLS
#   https://weakdh.org/sysadmin.html#haproxy
#   https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt

[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR=/var/lib/acme
[ -z "$HAPROXY_DIR" ] && HAPROXY_DIR=/etc/haproxy/acme_certs

[ ! -d $(dirname $HAPROXY_DIR) ] && exit 0

umask 0077

while read certname ; do

  acmedir=$ACME_STATE_DIR/live/$certname
  targetdir=$HAPROXY_DIR
  dhbits=2048

  for checkdir in $acmedir $acmedir/cert $acmedir/chain $acmedir/privkey ; do
    if [ ! -e $checkdir ] ; then
      echo "[acme2haproxy] Refresh received for $certname, but no data in $checkdir" >&2
      ls -lha $checkdir >&2
      continue 2
    fi
  done

  if [ ! -f $acmedir/dhparams ] ; then
    echo "[acme2haproxy] Generating DH params ($dhbits bit) for $certname ..." >&2
    openssl dhparam -out $acmedir/dhparams $dhbits
  fi

  if [ ! -d $targetdir ] ; then
    mkdir -p $targetdir
  fi

  echo "[acme2haproxy] Assembling haproxy cert for $certname ..." >&2
  cat $acmedir/privkey $acmedir/cert $acmedir/chain $acmedir/dhparams > $targetdir/$certname.pem

done

if which systemctl >/dev/null 2>/dev/null ; then

  echo "[acme2haproxy] Reloading haproxy with systemd ..." >&2
  [ -e "/lib/systemd/system/haproxy.service" -o -e "/etc/systemd/system/haproxy.service" ] && systemctl reload "haproxy.service"

elif which service >/dev/null 2>/dev/null ; then

  echo "[acme2haproxy] Reloading haproxy service ..." >&2
  service haproxy reload

elif [ -e "/etc/init.d" -a -e /etc/init.d/haproxy ] ; then

  echo "[acme2haproxy] Reloading haproxy init.d ..." >&2
  [ -x /etc/init.d/haproxy ] && /etc/init.d/haproxy reload

else

  echo "[acme2haproxy] Couldn't find reliable way to reload haproxy ..." >&2

fi
	#!/bin/bash

	# If haproxy is installed this hook will assemble certificates
	# in HAPROXY_DIR so that they can be used for SSL termination.
	#
	# Suggested configuration (/etc/haproxy/haproxy.cfg):
	#
	# global
	# ssl-default-bind-options no-sslv3 no-tls-tickets
	# tune.ssl.default-dh-param 2048
	# ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
	#
	# frontend https
	# bind :80
	# bind :443 ssl crt /etc/haproxy/acme_certs
	#
	# [...]
	#
	# References:
	# https://wiki.mozilla.org/Security/Server_Side_TLS
	# https://weakdh.org/sysadmin.html#haproxy
	# https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt

	[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR=/var/lib/acme
	[ -z "$HAPROXY_DIR" ] && HAPROXY_DIR=/etc/haproxy/acme_certs

	[ ! -d $(dirname $HAPROXY_DIR) ] && exit 0

	umask 0077

	while read certname ; do

	acmedir=$ACME_STATE_DIR/live/$certname
	targetdir=$HAPROXY_DIR
	dhbits=2048

	for checkdir in $acmedir $acmedir/cert $acmedir/chain $acmedir/privkey ; do
	if [ ! -e $checkdir ] ; then
	echo "[acme2haproxy] Refresh received for $certname, but no data in $checkdir" >&2
	ls -lha $checkdir >&2
	continue 2
	fi
	done

	if [ ! -f $acmedir/dhparams ] ; then
	echo "[acme2haproxy] Generating DH params ($dhbits bit) for $certname ..." >&2
	openssl dhparam -out $acmedir/dhparams $dhbits
	fi

	if [ ! -d $targetdir ] ; then
	mkdir -p $targetdir
	fi

	echo "[acme2haproxy] Assembling haproxy cert for $certname ..." >&2
	cat $acmedir/privkey $acmedir/cert $acmedir/chain $acmedir/dhparams > $targetdir/$certname.pem

	done

	if which systemctl >/dev/null 2>/dev/null ; then

	echo "[acme2haproxy] Reloading haproxy with systemd ..." >&2
	[ -e "/lib/systemd/system/haproxy.service" -o -e "/etc/systemd/system/haproxy.service" ] && systemctl reload "haproxy.service"

	elif which service >/dev/null 2>/dev/null ; then

	echo "[acme2haproxy] Reloading haproxy service ..." >&2
	service haproxy reload

	elif [ -e "/etc/init.d" -a -e /etc/init.d/haproxy ] ; then

	echo "[acme2haproxy] Reloading haproxy init.d ..." >&2
	[ -x /etc/init.d/haproxy ] && /etc/init.d/haproxy reload

	else

	echo "[acme2haproxy] Couldn't find reliable way to reload haproxy ..." >&2

	fi