Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
setup an ec2 server as a ssh tunner - see: https://www.pcarion.com/ssh-tunnel
BASE_DOMAIN_NAME=yourdomain
LETE_EMAIL=you@mail.com
REMOTE_REDIRECT_PORT1=8080
SUBDOMAIN1=auth
REMOTE_REDIRECT_PORT2=8090
SUBDOMAIN2=api
echo "### refresh server setup..."
sudo apt-get update
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot
sudo apt-get install -y haproxy
echo
echo "### configuring reverse proxy setup"
sudo sed -i "s/^.*AllowAgentForwarding.*$/AllowAgentForwarding yes/" /etc/ssh/sshd_config
sudo sed -i "s/^.*GatewayPorts.*$/GatewayPorts yes/" /etc/ssh/sshd_config
sudo service sshd restart
echo
echo "### stopping HAProxy"
sudo service haproxy stop
sudo service haproxy status
echo
echo "### getting ssl certificate for: ${BASE_DOMAIN_NAME}.com -- www.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com"
if [ -s "/etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem" ]
then
echo "### we already have the certificates.. skipping"
else
echo "### Getting certificates..."
sudo certbot certonly --standalone -d ${BASE_DOMAIN_NAME}.com -d www.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com --non-interactive --agree-tos --email ${LETE_EMAIL}
fi
echo
echo "### copying certificates to HAProxy"
sudo mkdir -p /etc/haproxy/certs
sudo cat /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/privkey.pem > /tmp/${BASE_DOMAIN_NAME}.com.pem
sudo cp /tmp/${BASE_DOMAIN_NAME}.com.pem /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
echo
echo "### Configuring HAProxy..."
sudo cat > /tmp/haproxy.cfg <<ENDHAPROXYCFG
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend ${BASE_DOMAIN_NAME}-http
bind *:80
reqadd X-Forwarded-Proto:\ http
mode http
default_backend www-backend
frontend ${BASE_DOMAIN_NAME}-https
bind *:443 ssl crt /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem
reqadd X-Forwarded-Proto:\ https
mode http
acl host_${SUBDOMAIN1} hdr(host) -i ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com
acl host_${SUBDOMAIN2} hdr(host) -i ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend ${SUBDOMAIN1}_node if host_${SUBDOMAIN1}
use_backend ${SUBDOMAIN2}_node if host_${SUBDOMAIN2}
use_backend letsencrypt-backend if letsencrypt-acl
default_backend www-backend
backend www-backend
# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }
server www-1 127.0.0.1:${REMOTE_REDIRECT_PORT1}
backend ${SUBDOMAIN1}_node
mode http
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT1}
backend ${SUBDOMAIN2}_node
mode http
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT2}
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
ENDHAPROXYCFG
sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg
echo "### HAProxy configured:"
sudo cat /etc/haproxy/haproxy.cfg
echo
echo "### starting HAProxy"
sudo service haproxy start
sudo service haproxy status
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.