Skip to content

Latest commit

 

History

History
199 lines (178 loc) · 7.88 KB

ExampleAcme.md

File metadata and controls

199 lines (178 loc) · 7.88 KB
Raw

Basic Example with ACME

Config

haproxy:
  acme:
    enable: true
    email: 'guy@test.ansibleguy.net'

  frontends:
    fe_web:
      bind: ['[::]:80 v4v6', '[::]:443 v4v6 ssl']
      acme:
        enable: true

      routes:
        be_test:
          domains: ['app.test.ansibleguy.net']

      default_backend: 'be_fallback'

  backends:
    be_test:
      servers:
        - 'srv-1 192.168.10.11:80'
        - 'srv-2 192.168.10.12:80'

    be_fallback:
      lines: 'http-request redirect code 302 location https://github.com/ansibleguy'

Result

root@test-ag-haproxy-acme:/# ls -l /etc/dehydrated/
> -rw-r----- 1 root haproxy-acme 478 May  3 15:44 config
> -rw-r----- 1 root haproxy-acme 898 May  4 13:29 domains.txt

root@test-ag-haproxy-acme:/# cat /etc/dehydrated/domains.txt 
> # Ansible managed: Do NOT edit this file manually!
> # ansibleguy.infra_haproxy
>
> # FRONTEND: fe_web
> ## BACKEND: be_test
> app.test.ansibleguy.net > fe_web-be_test

root@test-ag-haproxy-acme:/# ls -l /etc/ssl/haproxy_acme/certs
> -rw------- 1 haproxy-acme haproxy-acme 3673 May  3 18:31 fe_web-be_test.pem
> -rw-r----- 1 haproxy-acme haproxy      2872 May  3 15:05 placeholder.pem

root@test-ag-haproxy-acme:/# cat /etc/haproxy/haproxy.cfg 
> # Ansible managed: Do NOT edit this file manually!
> # ansibleguy.infra_haproxy
> 
> global
>     daemon
>     user haproxy
>     group haproxy
> 
> 
>     log /dev/log    local0
>     log /dev/log    local1 notice
>     chroot /var/lib/haproxy
>     stats socket /run/haproxy/admin.sock mode 660 level admin
>     stats timeout 30s
>     ca-base /etc/ssl/certs
>     crt-base /etc/ssl/private
>     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
>     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
>     ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
>
> defaults
>     log global
>     mode http
>     option httplog
>     option dontlognull
>     timeout connect 5000
>     timeout client 50000
>     timeout server 50000
>     errorfile 400 /etc/haproxy/errors/400.http
>     errorfile 403 /etc/haproxy/errors/403.http
>     errorfile 408 /etc/haproxy/errors/408.http
>     errorfile 500 /etc/haproxy/errors/500.http
>     errorfile 502 /etc/haproxy/errors/502.http
>     errorfile 503 /etc/haproxy/errors/503.http
>     errorfile 504 /etc/haproxy/errors/504.http

root@test-ag-haproxy-acme:/# cat /etc/haproxy/conf.d/frontend.cfg 
> # Ansible managed: Do NOT edit this file manually!
> # ansibleguy.infra_haproxy
>
> frontend fe_web
>     mode http
>     bind [::]:80 v4v6
>     bind [::]:443 v4v6 ssl crt /etc/ssl/haproxy_acme/certs alpn h2,http/1.1
>
>     http-request redirect scheme https code 301 if !{ ssl_fc } !{ path_beg -i /.well-known/acme-challenge/ }
>
>     http-request deny status 405 default-errorfiles if { method TRACE CONNECT }
>
>     # Security headers
>     http-response add-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if !{ res.hdr(Strict-Transport-Security) -m found }
>     http-response add-header X-Frame-Options "SAMEORIGIN" if !{ res.hdr(X-Frame-Options) -m found }
>     http-response add-header X-Content-Type-Options "nosniff" if !{ res.hdr(X-Content-Type-Options) -m found }
>     http-response add-header X-Permitted-Cross-Domain-Policies "none" if !{ res.hdr(X-Permitted-Cross-Domain-Policies) -m found }
>     http-response add-header X-XSS-Protection "1; mode=block" if !{ res.hdr(X-XSS-Protection) -m found }
>
>     http-request capture req.fhdr(User-Agent) len 200
>
>
>     use_backend be_haproxy_acme if { path_beg -i /.well-known/acme-challenge/ }
>
>     # BACKEND be_test
>     acl be_test_domains req.hdr(host) -m str -i app.test.ansibleguy.net
>     use_backend be_test if be_test_domains
> 
>     default_backend be_fallback

root@test-ag-haproxy-acme:/# cat /etc/haproxy/conf.d/backend.cfg  
> # Ansible managed: Do NOT edit this file manually!
> # ansibleguy.infra_haproxy
> 
> 
> backend be_test
>     mode http
> 
>
>     server srv-1 192.168.10.11:80 check
>     server srv-2 192.168.10.12:80 check
> 
> backend be_fallback
>     mode http
> 
>     http-request redirect code 302 location https://github.com/ansibleguy
> 
> backend be_haproxy_acme
>     server haproxy_acme 127.0.0.1:8405 check

root@test-ag-haproxy-acme:/# systemctl status haproxy.service
> * haproxy.service - HAProxy Load Balancer
>      Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; preset: enabled)
>     Drop-In: /etc/systemd/system/haproxy.service.d
>              `-override.conf
>      Active: active (running) since Sat 2024-05-04 16:24:54 UTC; 4min 11s ago
>        Docs: man:haproxy(1)
>              file:/usr/share/doc/haproxy/configuration.txt.gz
>              https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/
>              https://github.com/ansibleguy/infra_haproxy
>     Process: 4574 ExecStartPre=/usr/sbin/haproxy -c -f $CONFIG -f /etc/haproxy/conf.d/ (code=exited, status=0/SUCCESS)
>     Process: 4635 ExecReload=/usr/sbin/haproxy -c -f $CONFIG -f /etc/haproxy/conf.d/ (code=exited, status=0/SUCCESS)
>     Process: 4637 ExecReload=/bin/kill -USR2 $MAINPID (code=exited, status=0/SUCCESS)
>    Main PID: 4576 (haproxy)
>      Status: "Ready."
>       Tasks: 7 (limit: 1783)
>      Memory: 132.2M
>         CPU: 297ms
>      CGroup: /system.slice/haproxy.service
>              |-4576 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d/ -p /run/haproxy.pid -S /run/haproxy-master.sock
>              `-4639 /usr/sbin/haproxy -sf 4578 -x sockpair@4 -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d/ -p /run/haproxy.pid -S /run/haproxy-master.sock

# service/timer to renew certificates
root@test-ag-haproxy-acme:/# systemctl status haproxy-acme.service
> * haproxy-acme.service - HAProxy ACME Certificate Renewal Service
>      Loaded: loaded (/etc/systemd/system/haproxy-acme.service; disabled; preset: enabled)
>      Active: inactive (dead) since Sat 2024-05-04 16:24:21 UTC; 5min ago
> TriggeredBy: * haproxy-acme.timer
>        Docs: https://github.com/dehydrated-io/dehydrated/wiki
>              https://github.com/ansibleguy/infra_haproxy
>     Process: 3950 ExecStart=/usr/local/bin/dehydrated.sh -c (code=exited, status=0/SUCCESS)
>    Main PID: 3950 (code=exited, status=0/SUCCESS)

root@test-ag-haproxy-acme:/# systemctl status haproxy-acme.timer  
> * haproxy-acme.timer - Timer to start HAProxy ACME Certificate Renewal
>      Loaded: loaded (/etc/systemd/system/haproxy-acme.timer; enabled; preset: enabled)
>      Active: active (waiting) since Sat 2024-05-04 16:23:48 UTC; 6min ago
>     Trigger: Sun 2024-05-05 02:00:00 UTC; 9h left
>    Triggers: * haproxy-acme.service

# service/timer to reload haproxy after certificate renewal
root@test-ag-haproxy-acme:/# systemctl status haproxy-acme-reload.service
> * haproxy-acme-reload.service - HAProxy reload for certificate Renewal
>      Loaded: loaded (/etc/systemd/system/haproxy-acme-reload.service; disabled; preset: enabled)
>      Active: inactive (dead) since Sat 2024-05-04 16:30:41 UTC; 13s ago
> TriggeredBy: * haproxy-acme-reload.timer
>        Docs: https://github.com/ansibleguy/infra_haproxy
>     Process: 5215 ExecStart=/usr/bin/systemctl reload haproxy.service (code=exited, status=0/SUCCESS)
>    Main PID: 5215 (code=exited, status=0/SUCCESS)

root@test-ag-haproxy-acme:/# systemctl status haproxy-acme-reload.timer
> * haproxy-acme-reload.timer - Timer to perform HAProxy reload for certificate Renewal
>      Loaded: loaded (/etc/systemd/system/haproxy-acme-reload.timer; enabled; preset: enabled)
>      Active: active (waiting) since Sat 2024-05-04 16:23:51 UTC; 7min ago
>     Trigger: Sun 2024-05-05 03:00:00 UTC; 10h left
>    Triggers: * haproxy-acme-reload.service