Created
November 25, 2015 15:14
-
-
Save asquelt/77435c9061c84d7aebff to your computer and use it in GitHub Desktop.
acmetool hook for haproxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# If haproxy is installed this hook will assemble certificates | |
# in HAPROXY_DIR so that they can be used for SSL termination. | |
# | |
# Suggested configuration (/etc/haproxy/haproxy.cfg): | |
# | |
# global | |
# ssl-default-bind-options no-sslv3 no-tls-tickets | |
# tune.ssl.default-dh-param 2048 | |
# ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
# | |
# frontend https | |
# bind :80 | |
# bind :443 ssl crt /etc/haproxy/acme_certs | |
# | |
# [...] | |
# | |
# References: | |
# https://wiki.mozilla.org/Security/Server_Side_TLS | |
# https://weakdh.org/sysadmin.html#haproxy | |
# https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt | |
[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR=/var/lib/acme | |
[ -z "$HAPROXY_DIR" ] && HAPROXY_DIR=/etc/haproxy/acme_certs | |
[ ! -d $(dirname $HAPROXY_DIR) ] && exit 0 | |
umask 0077 | |
while read certname ; do | |
acmedir=$ACME_STATE_DIR/live/$certname | |
targetdir=$HAPROXY_DIR | |
dhbits=2048 | |
for checkdir in $acmedir $acmedir/cert $acmedir/chain $acmedir/privkey ; do | |
if [ ! -e $checkdir ] ; then | |
echo "[acme2haproxy] Refresh received for $certname, but no data in $checkdir" >&2 | |
ls -lha $checkdir >&2 | |
continue 2 | |
fi | |
done | |
if [ ! -f $acmedir/dhparams ] ; then | |
echo "[acme2haproxy] Generating DH params ($dhbits bit) for $certname ..." >&2 | |
openssl dhparam -out $acmedir/dhparams $dhbits | |
fi | |
if [ ! -d $targetdir ] ; then | |
mkdir -p $targetdir | |
fi | |
echo "[acme2haproxy] Assembling haproxy cert for $certname ..." >&2 | |
cat $acmedir/privkey $acmedir/cert $acmedir/chain $acmedir/dhparams > $targetdir/$certname.pem | |
done | |
if which systemctl >/dev/null 2>/dev/null ; then | |
echo "[acme2haproxy] Reloading haproxy with systemd ..." >&2 | |
[ -e "/lib/systemd/system/haproxy.service" -o -e "/etc/systemd/system/haproxy.service" ] && systemctl reload "haproxy.service" | |
elif which service >/dev/null 2>/dev/null ; then | |
echo "[acme2haproxy] Reloading haproxy service ..." >&2 | |
service haproxy reload | |
elif [ -e "/etc/init.d" -a -e /etc/init.d/haproxy ] ; then | |
echo "[acme2haproxy] Reloading haproxy init.d ..." >&2 | |
[ -x /etc/init.d/haproxy ] && /etc/init.d/haproxy reload | |
else | |
echo "[acme2haproxy] Couldn't find reliable way to reload haproxy ..." >&2 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment