Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
setup an ec2 server as a ssh tunner - see: https://www.pcarion.com/ssh-tunnel
BASE_DOMAIN_NAME=yourdomain
LETE_EMAIL=you@mail.com
REMOTE_REDIRECT_PORT1=8080
SUBDOMAIN1=auth
REMOTE_REDIRECT_PORT2=8090
SUBDOMAIN2=api
echo "### refresh server setup..."
sudo apt-get update
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot
sudo apt-get install -y haproxy
echo
echo "### configuring reverse proxy setup"
sudo sed -i "s/^.*AllowAgentForwarding.*$/AllowAgentForwarding yes/" /etc/ssh/sshd_config
sudo sed -i "s/^.*GatewayPorts.*$/GatewayPorts yes/" /etc/ssh/sshd_config
sudo service sshd restart
echo
echo "### stopping HAProxy"
sudo service haproxy stop
sudo service haproxy status
echo
echo "### getting ssl certificate for: ${BASE_DOMAIN_NAME}.com -- www.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com"
if [ -s "/etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem" ]
then
echo "### we already have the certificates.. skipping"
else
echo "### Getting certificates..."
sudo certbot certonly --standalone -d ${BASE_DOMAIN_NAME}.com -d www.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com --non-interactive --agree-tos --email ${LETE_EMAIL}
fi
echo
echo "### copying certificates to HAProxy"
sudo mkdir -p /etc/haproxy/certs
sudo cat /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/privkey.pem > /tmp/${BASE_DOMAIN_NAME}.com.pem
sudo cp /tmp/${BASE_DOMAIN_NAME}.com.pem /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
echo
echo "### Configuring HAProxy..."
sudo cat > /tmp/haproxy.cfg <<ENDHAPROXYCFG
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend ${BASE_DOMAIN_NAME}-http
bind *:80
reqadd X-Forwarded-Proto:\ http
mode http
default_backend www-backend
frontend ${BASE_DOMAIN_NAME}-https
bind *:443 ssl crt /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
reqadd X-Forwarded-Proto:\ https
mode http
acl host_${SUBDOMAIN1} hdr(host) -i ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com
acl host_${SUBDOMAIN2} hdr(host) -i ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend ${SUBDOMAIN1}_node if host_${SUBDOMAIN1}
use_backend ${SUBDOMAIN2}_node if host_${SUBDOMAIN2}
use_backend letsencrypt-backend if letsencrypt-acl
default_backend www-backend
backend www-backend
# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }
server www-1 127.0.0.1:${REMOTE_REDIRECT_PORT1}
backend ${SUBDOMAIN1}_node
mode http
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT1}
backend ${SUBDOMAIN2}_node
mode http
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT2}
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
ENDHAPROXYCFG
sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg
echo "### HAProxy configured:"
sudo cat /etc/haproxy/haproxy.cfg
echo
echo "### starting HAProxy"
sudo service haproxy start
sudo service haproxy status
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment