Created
January 26, 2020 18:30
-
-
Save pcarion/5b20af09c323a8214f6356d97d24d1ea to your computer and use it in GitHub Desktop.
setup an ec2 server as a ssh tunner - see: https://www.pcarion.com/ssh-tunnel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BASE_DOMAIN_NAME=yourdomain | |
LETE_EMAIL=you@mail.com | |
REMOTE_REDIRECT_PORT1=8080 | |
SUBDOMAIN1=auth | |
REMOTE_REDIRECT_PORT2=8090 | |
SUBDOMAIN2=api | |
echo "### refresh server setup..." | |
sudo apt-get update | |
sudo add-apt-repository -y ppa:certbot/certbot | |
sudo apt-get update | |
sudo apt-get install -y certbot | |
sudo apt-get install -y haproxy | |
echo | |
echo "### configuring reverse proxy setup" | |
sudo sed -i "s/^.*AllowAgentForwarding.*$/AllowAgentForwarding yes/" /etc/ssh/sshd_config | |
sudo sed -i "s/^.*GatewayPorts.*$/GatewayPorts yes/" /etc/ssh/sshd_config | |
sudo service sshd restart | |
echo | |
echo "### stopping HAProxy" | |
sudo service haproxy stop | |
sudo service haproxy status | |
echo | |
echo "### getting ssl certificate for: ${BASE_DOMAIN_NAME}.com -- www.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -- ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com" | |
if [ -s "/etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem" ] | |
then | |
echo "### we already have the certificates.. skipping" | |
else | |
echo "### Getting certificates..." | |
sudo certbot certonly --standalone -d ${BASE_DOMAIN_NAME}.com -d www.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com -d ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com --non-interactive --agree-tos --email ${LETE_EMAIL} | |
fi | |
echo | |
echo "### copying certificates to HAProxy" | |
sudo mkdir -p /etc/haproxy/certs | |
sudo cat /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/fullchain.pem /etc/letsencrypt/live/${BASE_DOMAIN_NAME}.com/privkey.pem > /tmp/${BASE_DOMAIN_NAME}.com.pem | |
sudo cp /tmp/${BASE_DOMAIN_NAME}.com.pem /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem | |
echo | |
echo "### Configuring HAProxy..." | |
sudo cat > /tmp/haproxy.cfg <<ENDHAPROXYCFG | |
global | |
log /dev/log local0 | |
log /dev/log local1 notice | |
chroot /var/lib/haproxy | |
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
stats timeout 30s | |
user haproxy | |
group haproxy | |
daemon | |
# Default SSL material locations | |
ca-base /etc/ssl/certs | |
crt-base /etc/ssl/private | |
# Default ciphers to use on SSL-enabled listening sockets. | |
# For more information, see ciphers(1SSL). This list is from: | |
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
# An alternative list with additional directives can be obtained from | |
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
ssl-default-bind-options no-sslv3 | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
frontend ${BASE_DOMAIN_NAME}-http | |
bind *:80 | |
reqadd X-Forwarded-Proto:\ http | |
mode http | |
default_backend www-backend | |
frontend ${BASE_DOMAIN_NAME}-https | |
bind *:443 ssl crt /etc/haproxy/certs/${BASE_DOMAIN_NAME}.com.pem | |
reqadd X-Forwarded-Proto:\ https | |
mode http | |
acl host_${SUBDOMAIN1} hdr(host) -i ${SUBDOMAIN1}.${BASE_DOMAIN_NAME}.com | |
acl host_${SUBDOMAIN2} hdr(host) -i ${SUBDOMAIN2}.${BASE_DOMAIN_NAME}.com | |
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ | |
use_backend ${SUBDOMAIN1}_node if host_${SUBDOMAIN1} | |
use_backend ${SUBDOMAIN2}_node if host_${SUBDOMAIN2} | |
use_backend letsencrypt-backend if letsencrypt-acl | |
default_backend www-backend | |
backend www-backend | |
# Redirect if HTTPS is *not* used | |
redirect scheme https code 301 if !{ ssl_fc } | |
server www-1 127.0.0.1:${REMOTE_REDIRECT_PORT1} | |
backend ${SUBDOMAIN1}_node | |
mode http | |
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT1} | |
backend ${SUBDOMAIN2}_node | |
mode http | |
server node1 127.0.0.1:${REMOTE_REDIRECT_PORT2} | |
backend letsencrypt-backend | |
server letsencrypt 127.0.0.1:54321 | |
ENDHAPROXYCFG | |
sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg | |
echo "### HAProxy configured:" | |
sudo cat /etc/haproxy/haproxy.cfg | |
echo | |
echo "### starting HAProxy" | |
sudo service haproxy start | |
sudo service haproxy status |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment