Skip to content

Instantly share code, notes, and snippets.

@patoi
Created January 21, 2020 15:16
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save patoi/430c0ca57bb59d175d9725e4c96bf14a to your computer and use it in GitHub Desktop.
haproxy configuration: SSL termination of the local server – haproxy running in docker container
# If you already have an haproxy.cfg file, you can probably leave the
# global and defaults section as-is, but you might need to increase the
# timeouts so that long-running CLI commands will work.
global
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
maxconn 4096
# log stdout local0 debug
defaults
log global
option forwardfor
option http-server-close
option httplog
option dontlognull
option redispatch
maxconn 20
timeout connect 5s
timeout client 5min
timeout server 5min
frontend www-http
bind *:80
mode http
http-request add-header X-Forwarded-Proto http
default_backend www-backend
frontend www-https
# Generating key pem: https://gist.github.com/yuezhu/47b15b4b8e944221861ccf7d7f5868f5
bind *:443 ssl crt /usr/local/etc/haproxy/ssl/GENERATED.key.pem
mode http
http-request add-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
default_backend www-backend
backend www-backend
mode http
redirect scheme https code 301 if !{ ssl_fc }
server jenkins1 DOCKER_HOST_IP:8080 verify none
@patoi
Copy link
Author

patoi commented Jan 21, 2020

  1. Create a haproxy/ssl directory.
  2. Generating the pem file in haproxy/ssl directory: https://gist.github.com/yuezhu/47b15b4b8e944221861ccf7d7f5868f5
  3. Set the name of GENERATED.key.pem
  4. Set the IP of your machine: DOCKER_HOST_IP
  5. docker run -d -p 80:80 -p 443:443 --name my-running-haproxy -v /Users/patoi/work/temp/haproxy:/usr/local/etc/haproxy:ro haproxy:2.1.2

Test with http://127.0.0.1 and https://127.0.0.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment