Install HAProxy, Certbot/Let's Encrypt for CouchDB

gistfile1.txt

*-*-*-*-*-*-*-*-*-* Updated January 04, 2022 *-*-*-*-*-*-*-*-*-*

### Update and install some utilities
sudo apt update && sudo apt-get upgrade
sudo apt install -y curl apt-transport-https gnupg nano

curl https://couchdb.apache.org/repo/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/couchdb-archive-keyring.gpg >/dev/null 2>&1

source /etc/os-release

echo "deb [signed-by=/usr/share/keyrings/couchdb-archive-keyring.gpg] https://apache.jfrog.io/artifactory/couchdb-deb/ ${VERSION_CODENAME} main" \
    | sudo tee /etc/apt/sources.list.d/couchdb.list >/dev/null

##### Install CouchDB via APT-GET, Bitnami, using one of the previous lessons
### It is not necessary to set the bind address to 0.0.0.0 during the installation

sudo apt update && sudo apt install -y couchdb

### Test CouchDB
curl http://127.0.0.1:5984

##### Install HAProxy and Certbot
sudo apt-get update -y && sudo apt-get install software-properties-common haproxy certbot -y

##### Edit HAProxy and add the enabled line
sudo nano /etc/default/haproxy
## Add the following line to /etc/default/haproxy
ENABLED=1

##### Edit HAProxy config file
sudo nano /etc/haproxy/haproxy.cfg
## Make it look like below
## replace the port number in the line "bind *:443" to whatever port you would like or you can leave as 443
## NOTE: 443 might not work if another service already claimed it like a webserver
## change "MY_DOMAIN" to your domain name in the ssl file name
----------------------------------------
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	maxconn 2048
	tune.ssl.default-dh-param 2048
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option forwardfor
  option http-server-close
	option	httplog
	option	dontlognull
		timeout connect 5000
		timeout client  50000
		timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
		 bind *:443 ssl crt /etc/haproxy/cert-haproxy.pem
		 default_backend couchdbs
		 reqadd X-Forwarded-Proto:\ https
		 acl secure dst_port eq 443
		 rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
		 rspadd Strict-Transport-Security:\ max-age=31536000 if secure
		 redirect scheme https code 301 if !{ ssl_fc }

backend couchdbs
		option httpchk GET /_up
		http-check disable-on-404
		server couchdb1 127.0.0.1:5984 check inter 5s
EOT
------------------------------------------------

##### Create the cert-hook
## Below, replace "MY_DOMAIN" with the domain name being used
sudo nano /etc/haproxy/cert-hook
## add the lines below:
-----------------------------------
#!/bin/sh
DOMAIN="couch.mad.p"
FULL_PEM="/etc/haproxy/cert-haproxy.pem"
echo "Certbot renewal hook running as user: '$USER'..." >&2
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" >&2
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE" >&2

if grep --quiet "$DOMAIN" <<< "$RENEWED_DOMAINS"; then
		cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > $FULL_PEM
		echo "PEM updated $FULL_PEM" >&2
		systemctl restart haproxy
		echo "Haproxy restarted" >&2
fi
-------------

##### Make cert-hook executable:
chmod +x /etc/haproxy/cert-hook

##### The following step may or may not needed. Go ahead and run it anyway. If you get an error, ignore it.
sudo systemctl stop apache2

##### Generate SSL certificates
## change MY_DOMAIN to the domain name

certbot certonly --standalone -d MY_DOMAIN --renew-hook "/etc/haproxy/cert-hook"
cat /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem /etc/letsencrypt/live/MY_DOMAIN/privkey.pem > /etc/haproxy/cert-haproxy.pem
chmod 600  /etc/haproxy/cert-haproxy.pem

##### Restart HAProxy
sudo service haproxy restart

##### Create auto renewal script
sudo nano /etc/systemd/system/certbot.service 
## add lines below:
------------------------------------------
[Unit]
Description=Lets Encrypt Automated Renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos --renew-hook "/etc/haproxy/cert-hook"
------------------------------------------


sudo nano /etc/systemd/system/certbot.timer
------------------------------------------
Description=Daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=daily
RandomizedDelaySec=1day
Persistent=true

[Install]
WantedBy=timers.target
------------------------------------------

systemctl daemon-reload

Thank you for updating the document.
I got the error unknown keyword 'EOT' in 'backend' section. After removing the EOT from the config file. It worked.