pcarion/setup_tunnel_host.sh

## setup_tunnel_host.sh
BASE_DOMAIN_NAME=yourdomain
LETE_EMAIL=you@mail.com
REMOTE_REDIRECT_PORT1=8080
SUBDOMAIN1=auth
REMOTE_REDIRECT_PORT2=8090
SUBDOMAIN2=api

echo "### refresh server setup..."
sudo apt-get update
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot
sudo apt-get install -y haproxy
echo

echo "### configuring reverse proxy setup"
sudo sed -i "s/^.*AllowAgentForwarding.*$/AllowAgentForwarding yes/" /etc/ssh/sshd_config
sudo sed -i "s/^.*GatewayPorts.*$/GatewayPorts yes/" /etc/ssh/sshd_config
sudo service sshd restart
echo

echo "### stopping HAProxy"
sudo service haproxy stop
sudo service haproxy status
echo

echo "### getting ssl certificate for: ${BASE_DOMAIN_NAME}.com -- www.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com"
if [ -s "/etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem" ]
then
   echo "### we already have the certificates.. skipping"
else
	echo "### Getting certificates..."
	sudo certbot certonly --standalone -d ${BASE_DOMAIN_NAME}.com -d www.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com --non-interactive --agree-tos --email ${LETE_EMAIL}
fi
echo

echo "### copying certificates to HAProxy"
sudo mkdir -p /etc/haproxy/certs
sudo cat /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/privkey.pem > /tmp/${BASE_DOMAIN_NAME}.com.pem
sudo cp /tmp/${BASE_DOMAIN_NAME}.com.pem /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
echo

echo "### Configuring HAProxy..."
sudo cat > /tmp/haproxy.cfg <<ENDHAPROXYCFG
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend ${BASE_DOMAIN_NAME}-http
	bind *:80
	reqadd X-Forwarded-Proto:\ http
	mode http
	default_backend www-backend

frontend ${BASE_DOMAIN_NAME}-https
	bind *:443 ssl crt /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
	reqadd X-Forwarded-Proto:\ https
	mode http
	acl host_${SUBDOMAIN1} hdr(host) -i ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com
	acl host_${SUBDOMAIN2} hdr(host) -i ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend ${SUBDOMAIN1}_node if host_${SUBDOMAIN1}
	use_backend ${SUBDOMAIN2}_node if host_${SUBDOMAIN2}
	use_backend letsencrypt-backend if letsencrypt-acl
	default_backend www-backend

backend www-backend
	# Redirect if HTTPS is *not* used
	redirect scheme https code 301 if !{ ssl_fc }
	server www-1 127.0.0.1:${REMOTE_REDIRECT_PORT1}

backend ${SUBDOMAIN1}_node
	mode http
	server node1 127.0.0.1:${REMOTE_REDIRECT_PORT1}

backend ${SUBDOMAIN2}_node
	mode http
	server node1 127.0.0.1:${REMOTE_REDIRECT_PORT2}

backend letsencrypt-backend
   server letsencrypt 127.0.0.1:54321
ENDHAPROXYCFG

sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg

echo "### HAProxy configured:"
sudo cat /etc/haproxy/haproxy.cfg
echo

echo "### starting HAProxy"
sudo service haproxy start
sudo service haproxy status
	BASE_DOMAIN_NAME=yourdomain
	LETE_EMAIL=you@mail.com
	REMOTE_REDIRECT_PORT1=8080
	SUBDOMAIN1=auth
	REMOTE_REDIRECT_PORT2=8090
	SUBDOMAIN2=api

	echo "### refresh server setup..."
	sudo apt-get update
	sudo add-apt-repository -y ppa:certbot/certbot
	sudo apt-get update
	sudo apt-get install -y certbot
	sudo apt-get install -y haproxy
	echo

	echo "### configuring reverse proxy setup"
	sudo sed -i "s/^.AllowAgentForwarding.$/AllowAgentForwarding yes/" /etc/ssh/sshd_config
	sudo sed -i "s/^.GatewayPorts.$/GatewayPorts yes/" /etc/ssh/sshd_config
	sudo service sshd restart
	echo

	echo "### stopping HAProxy"
	sudo service haproxy stop
	sudo service haproxy status
	echo

	echo "### getting ssl certificate for: ${BASE_DOMAIN_NAME}.com -- www.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com"
	if [ -s "/etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem" ]
	then
	echo "### we already have the certificates.. skipping"
	else
	echo "### Getting certificates..."
	sudo certbot certonly --standalone -d ${BASE_DOMAIN_NAME}.com -d www.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com --non-interactive --agree-tos --email ${LETE_EMAIL}
	fi
	echo

	echo "### copying certificates to HAProxy"
	sudo mkdir -p /etc/haproxy/certs
	sudo cat /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/privkey.pem > /tmp/${BASE_DOMAIN_NAME}.com.pem
	sudo cp /tmp/${BASE_DOMAIN_NAME}.com.pem /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
	echo

	echo "### Configuring HAProxy..."
	sudo cat > /tmp/haproxy.cfg <<ENDHAPROXYCFG
	global
	log /dev/log local0
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	frontend ${BASE_DOMAIN_NAME}-http
	bind *:80
	reqadd X-Forwarded-Proto:\ http
	mode http
	default_backend www-backend

	frontend ${BASE_DOMAIN_NAME}-https
	bind *:443 ssl crt /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
	reqadd X-Forwarded-Proto:\ https
	mode http
	acl host_${SUBDOMAIN1} hdr(host) -i ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com
	acl host_${SUBDOMAIN2} hdr(host) -i ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend ${SUBDOMAIN1}_node if host_${SUBDOMAIN1}
	use_backend ${SUBDOMAIN2}_node if host_${SUBDOMAIN2}
	use_backend letsencrypt-backend if letsencrypt-acl
	default_backend www-backend

	backend www-backend
	# Redirect if HTTPS is not used
	redirect scheme https code 301 if !{ ssl_fc }
	server www-1 127.0.0.1:${REMOTE_REDIRECT_PORT1}

	backend ${SUBDOMAIN1}_node
	mode http
	server node1 127.0.0.1:${REMOTE_REDIRECT_PORT1}

	backend ${SUBDOMAIN2}_node
	mode http
	server node1 127.0.0.1:${REMOTE_REDIRECT_PORT2}

	backend letsencrypt-backend
	server letsencrypt 127.0.0.1:54321
	ENDHAPROXYCFG

	sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg

	echo "### HAProxy configured:"
	sudo cat /etc/haproxy/haproxy.cfg
	echo

	echo "### starting HAProxy"
	sudo service haproxy start
	sudo service haproxy status