Skip to content

Instantly share code, notes, and snippets.

@madpink
Last active April 28, 2023 17:24
Show Gist options
  • Save madpink/a48289e726f1f7b86ed947db2a62d6e8 to your computer and use it in GitHub Desktop.
Save madpink/a48289e726f1f7b86ed947db2a62d6e8 to your computer and use it in GitHub Desktop.
Install HAProxy, Certbot/Let's Encrypt for CouchDB
*-*-*-*-*-*-*-*-*-* Updated January 04, 2022 *-*-*-*-*-*-*-*-*-*
### Update and install some utilities
sudo apt update && sudo apt-get upgrade
sudo apt install -y curl apt-transport-https gnupg nano
curl https://couchdb.apache.org/repo/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/couchdb-archive-keyring.gpg >/dev/null 2>&1
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/couchdb-archive-keyring.gpg] https://apache.jfrog.io/artifactory/couchdb-deb/ ${VERSION_CODENAME} main" \
| sudo tee /etc/apt/sources.list.d/couchdb.list >/dev/null
##### Install CouchDB via APT-GET, Bitnami, using one of the previous lessons
### It is not necessary to set the bind address to 0.0.0.0 during the installation
sudo apt update && sudo apt install -y couchdb
### Test CouchDB
curl http://127.0.0.1:5984
##### Install HAProxy and Certbot
sudo apt-get update -y && sudo apt-get install software-properties-common haproxy certbot -y
##### Edit HAProxy and add the enabled line
sudo nano /etc/default/haproxy
## Add the following line to /etc/default/haproxy
ENABLED=1
##### Edit HAProxy config file
sudo nano /etc/haproxy/haproxy.cfg
## Make it look like below
## replace the port number in the line "bind *:443" to whatever port you would like or you can leave as 443
## NOTE: 443 might not work if another service already claimed it like a webserver
## change "MY_DOMAIN" to your domain name in the ssl file name
----------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2048
tune.ssl.default-dh-param 2048
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:443 ssl crt /etc/haproxy/cert-haproxy.pem
default_backend couchdbs
reqadd X-Forwarded-Proto:\ https
acl secure dst_port eq 443
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
rspadd Strict-Transport-Security:\ max-age=31536000 if secure
redirect scheme https code 301 if !{ ssl_fc }
backend couchdbs
option httpchk GET /_up
http-check disable-on-404
server couchdb1 127.0.0.1:5984 check inter 5s
EOT
------------------------------------------------
##### Create the cert-hook
## Below, replace "MY_DOMAIN" with the domain name being used
sudo nano /etc/haproxy/cert-hook
## add the lines below:
-----------------------------------
#!/bin/sh
DOMAIN="couch.mad.p"
FULL_PEM="/etc/haproxy/cert-haproxy.pem"
echo "Certbot renewal hook running as user: '$USER'..." >&2
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" >&2
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE" >&2
if grep --quiet "$DOMAIN" <<< "$RENEWED_DOMAINS"; then
cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > $FULL_PEM
echo "PEM updated $FULL_PEM" >&2
systemctl restart haproxy
echo "Haproxy restarted" >&2
fi
-------------
##### Make cert-hook executable:
chmod +x /etc/haproxy/cert-hook
##### The following step may or may not needed. Go ahead and run it anyway. If you get an error, ignore it.
sudo systemctl stop apache2
##### Generate SSL certificates
## change MY_DOMAIN to the domain name
certbot certonly --standalone -d MY_DOMAIN --renew-hook "/etc/haproxy/cert-hook"
cat /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem /etc/letsencrypt/live/MY_DOMAIN/privkey.pem > /etc/haproxy/cert-haproxy.pem
chmod 600 /etc/haproxy/cert-haproxy.pem
##### Restart HAProxy
sudo service haproxy restart
##### Create auto renewal script
sudo nano /etc/systemd/system/certbot.service
## add lines below:
------------------------------------------
[Unit]
Description=Lets Encrypt Automated Renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos --renew-hook "/etc/haproxy/cert-hook"
------------------------------------------
sudo nano /etc/systemd/system/certbot.timer
------------------------------------------
Description=Daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=daily
RandomizedDelaySec=1day
Persistent=true
[Install]
WantedBy=timers.target
------------------------------------------
systemctl daemon-reload
@avtarnanrey
Copy link

avtarnanrey commented Apr 28, 2023

Thank you for updating the document.
I got the error unknown keyword 'EOT' in 'backend' section. After removing the EOT from the config file. It worked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment