Skip to content

Instantly share code, notes, and snippets.

@mb00g

mb00g/hap_web_vhost_ssl.md

Last active October 7, 2020 04:04
Show Gist options
  • Save mb00g/506f770e8ae72cb6b6da3f9468e1d896 to your computer and use it in GitHub Desktop.
Save mb00g/506f770e8ae72cb6b6da3f9468e1d896 to your computer and use it in GitHub Desktop.
Download ZIP
Config HAProxy dengan SSL & vhost support
Raw
hap_web_vhost_ssl.md

Generate new cert menggunakan certbot https://certbot.eff.org/all-instructions

Gabungkan fullchain.pem dan privkey.pem

cat /etc/letsencrypt/live/student.domain.id/fullchain.pem /etc/letsencrypt/live/student.domain.id/privkey.pem | tee /etc/ssl/private/student.domain.id.pem

Buat file /etc/ssl/private/crt-list.txt dengan isi path ke file .pem hasil gabungan

$ cat /etc/ssl/private/crt-list.txt

/etc/ssl/private/admin.domain.id.pem
/etc/ssl/private/student.domain.id.pem
/etc/ssl/private/domain.id.pem

Selanjutnya rubah config file /etc/haproxy/haproxy.cfg

# Global
global
    log-send-hostname localhost
    log 127.0.0.1 local0
    log 127.0.0.1 local0 notice
    maxconn 10240
    user haproxy
    group haproxy 
    daemon
    nbproc 1

# defaults
defaults
    log                     global
    option                  httplog
    option                  dontlognull
    option                  redispatch
    option forwardfor
    option http-server-close
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         30s
    timeout client          60s
    timeout server          60s
    maxconn                 10240



# statistik
listen stats
    bind :8080
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth iki_user:iki_pass

#---------------------------------------------------------------------
# FrontEnd Configuration
#---------------------------------------------------------------------
frontend nginx_frontend
    bind *:80
    bind *:443 ssl crt-list /etc/ssl/private/crt-list.txt
    redirect scheme https if !{ ssl_fc }
    mode http

    # Define hosts
    acl host_admin hdr(host) -i admin.domain.id
    acl host_student hdr(host) -i student.domain.id
    acl host_web hdr(host) -i domain.id

    ## figure out which one to use
    use_backend admin_cluster if host_admin
    use_backend student_cluster if host_student
    use_backend web_cluster if host_web

#---------------------------------------------------------------------
# BackEnd roundrobin as balance algorithm
#---------------------------------------------------------------------
backend admin_cluster
        mode http
        fullconn 10240
        balance roundrobin
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix
        server nginx-web-133 nginx-web-133:80  cookie A check
        server nginx-web-134 nginx-web-134:80  cookie A check
        
backend student_cluster
        mode http
        fullconn 10240
        balance roundrobin
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix
        server nginx-web-133 nginx-web-133:80  cookie A check
        server nginx-web-134 nginx-web-134:80  cookie A check
        
backend web_cluster
        mode http
        fullconn 10240
        balance roundrobin
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix
        server nginx-web-133 nginx-web-133:80  cookie A check
        server nginx-web-134 nginx-web-134:80  cookie A check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment