setup an ec2 server as a ssh tunner - see: https://www.pcarion.com/ssh-tunnel
BASE_DOMAIN_NAME=yourdomain | |
LETE_EMAIL=you@mail.com | |
REMOTE_REDIRECT_PORT1=8080 | |
SUBDOMAIN1=auth | |
REMOTE_REDIRECT_PORT2=8090 | |
SUBDOMAIN2=api | |
echo "### refresh server setup..." | |
sudo apt-get update | |
sudo add-apt-repository -y ppa:certbot/certbot | |
sudo apt-get update | |
sudo apt-get install -y certbot | |
sudo apt-get install -y haproxy | |
echo | |
echo "### configuring reverse proxy setup" | |
sudo sed -i "s/^.*AllowAgentForwarding.*$/AllowAgentForwarding yes/" /etc/ssh/sshd_config | |
sudo sed -i "s/^.*GatewayPorts.*$/GatewayPorts yes/" /etc/ssh/sshd_config | |
sudo service sshd restart | |
echo | |
echo "### stopping HAProxy" | |
sudo service haproxy stop | |
sudo service haproxy status | |
echo | |
echo "### getting ssl certificate for: ${BASE_DOMAIN_NAME}.com -- www.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com" | |
if [ -s "/etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem" ] | |
then | |
echo "### we already have the certificates.. skipping" | |
else | |
echo "### Getting certificates..." | |
sudo certbot certonly --standalone -d ${BASE_DOMAIN_NAME}.com -d www.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com --non-interactive --agree-tos --email ${LETE_EMAIL} | |
fi | |
echo | |
echo "### copying certificates to HAProxy" | |
sudo mkdir -p /etc/haproxy/certs | |
sudo cat /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/privkey.pem > /tmp/${BASE_DOMAIN_NAME}.com.pem | |
sudo cp /tmp/${BASE_DOMAIN_NAME}.com.pem /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem | |
echo | |
echo "### Configuring HAProxy..." | |
sudo cat > /tmp/haproxy.cfg <<ENDHAPROXYCFG | |
global | |
log /dev/log local0 | |
log /dev/log local1 notice | |
chroot /var/lib/haproxy | |
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
stats timeout 30s | |
user haproxy | |
group haproxy | |
daemon | |
# Default SSL material locations | |
ca-base /etc/ssl/certs | |
crt-base /etc/ssl/private | |
# Default ciphers to use on SSL-enabled listening sockets. | |
# For more information, see ciphers(1SSL). This list is from: | |
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
# An alternative list with additional directives can be obtained from | |
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
ssl-default-bind-options no-sslv3 | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
frontend ${BASE_DOMAIN_NAME}-http | |
bind *:80 | |
reqadd X-Forwarded-Proto:\ http | |
mode http | |
default_backend www-backend | |
frontend ${BASE_DOMAIN_NAME}-https | |
bind *:443 ssl crt /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem | |
reqadd X-Forwarded-Proto:\ https | |
mode http | |
acl host_${SUBDOMAIN1} hdr(host) -i ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com | |
acl host_${SUBDOMAIN2} hdr(host) -i ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com | |
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ | |
use_backend ${SUBDOMAIN1}_node if host_${SUBDOMAIN1} | |
use_backend ${SUBDOMAIN2}_node if host_${SUBDOMAIN2} | |
use_backend letsencrypt-backend if letsencrypt-acl | |
default_backend www-backend | |
backend www-backend | |
# Redirect if HTTPS is *not* used | |
redirect scheme https code 301 if !{ ssl_fc } | |
server www-1 127.0.0.1:${REMOTE_REDIRECT_PORT1} | |
backend ${SUBDOMAIN1}_node | |
mode http | |
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT1} | |
backend ${SUBDOMAIN2}_node | |
mode http | |
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT2} | |
backend letsencrypt-backend | |
server letsencrypt 127.0.0.1:54321 | |
ENDHAPROXYCFG | |
sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg | |
echo "### HAProxy configured:" | |
sudo cat /etc/haproxy/haproxy.cfg | |
echo | |
echo "### starting HAProxy" | |
sudo service haproxy start | |
sudo service haproxy status |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment