-
Notifications
You must be signed in to change notification settings - Fork 0
Web
On the rootfs:
apt-get install nginx-light
systemctl disable nginxAvoid version number disclosure and setup logging, /etc/nginx/nginx.conf:
http {
...
# avoid version number disclosure
server_tokens off;
# use sylosg
error_log syslog:server=unix:/dev/log,nohostname;
access_log syslog:server=unix:/dev/log,nohostname;
...
}
Note that even if nginx is configured to use syslog, it still needs /var/log/nginx (for the error.log file).
Refer to the initial Let's Encrypt setup.
Add a special URL to nginx's server configuration in order to authenticate the request:
server {
listen 80 default_server;
location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
default_type text/plain;
return 200 "$1.<ACCOUNT_THUMBPRINT>";
}
location / {
return 301 https://$host$request_uri;
}
}
According to a Certbot developper it's safe to leave this here.
Issue the certificate (Let's Encrypt should support wildcard certifcates in 2018):
acme.sh --stateless --issue --domain lorn.space --domain www.lorn.space --reloadcmd 'systemctl reload nginx'Configure SSL as explained in Let's Encrypt and update the paths to the key, certificate and CA's certificate (it can be shared for all server blocks by putting it in the http block).
The configuration can be tested with:
nginx -tUnder Debian, nginx is compiled with ngx_http_stub_status_module which allows to retrieve some poor statistics.
A possible configuration would be:
location ~ ^/nginx/stats/?$ {
stub_status;
}
The main advantages of HAProxy over nginx are its flexibility as a proxy and the easier monitoring. However, it's not easy to setup some simple pages and as such should rely on a proper web server.
On the rootfs:
apt-get install haproxy
systemctl disable haproxyYou may edit /etc/rsyslog.d/49-haproxy.conf to remove the rule writing to /var/log/haproxy.log if you don't wish to store logs locally.
The configuration can be tested with:
haproxy -c -f /etc/haproxy/haproxy.cfgIssue the certificate and concatenate the key to the certificate chain as HAproxy is expecting only one file:
acme.sh --stateless --issue --domain lorn.space --domain www.lorn.space --reloadcmd 'cat "$CERT_KEY_PATH" "$CERT_FULLCHAIN_PATH" > /etc/ssl/private/lorn.space.pem && systemctl reload haproxy'This simple configuration should be similar to nginx's one but HAProxy will proxy any request to nginx over HTTP (so nginx won't have to do the SSL termination). There is a special rule to allow HTTP for the ACME challenge in order to setup TLS.
backend default
mode http
option forwardfor
server www-02 www-02.service.lorn.space:80 check port 80
frontend http
mode http
option httplog
option http-server-close
http-response set-header Strict-Transport-Security max-age=15768000
bind 0.0.0.0:80
acl acme url_reg ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$
# redirect to https if it's not acme
redirect scheme https code 301 if !{ ssl_fc } !acme
# else allow http
default_backend default
frontend https
mode http
option httplog
option http-server-close
http-response set-header Strict-Transport-Security max-age=15768000
http-request set-header X-Forwarded-Proto https if { ssl_fc }
bind 0.0.0.0:443 ssl crt lorn.space.pem
default_backend default
You may want to configure the web server to properly log the forwarded IP (for example, use the set_real_ip_from and real_ip_header directives in nginx's configuration).