diff options
Diffstat (limited to 'terminaldweller.com/haproxy')
| -rw-r--r-- | terminaldweller.com/haproxy/certbot/Dockerfile | 2 | ||||
| -rwxr-xr-x | terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh | 30 | ||||
| -rw-r--r-- | terminaldweller.com/haproxy/docker-compose.yaml | 35 | ||||
| -rw-r--r-- | terminaldweller.com/haproxy/haproxy.cfg | 103 |
4 files changed, 125 insertions, 45 deletions
diff --git a/terminaldweller.com/haproxy/certbot/Dockerfile b/terminaldweller.com/haproxy/certbot/Dockerfile new file mode 100644 index 0000000..b6fb68a --- /dev/null +++ b/terminaldweller.com/haproxy/certbot/Dockerfile @@ -0,0 +1,2 @@ +FROM certbot/certbot +COPY ./certbot-entrypoint.sh /certbot-entrypoint.sh diff --git a/terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh b/terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh new file mode 100755 index 0000000..2be858f --- /dev/null +++ b/terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh @@ -0,0 +1,30 @@ +#!/bin/sh +set -ex + +cat_cert() { + dir="/etc/letsencrypt/live/$1" + cat "$dir/privkey.pem" "$dir/fullchain.pem" > "/certs/$1.pem" +} + +while :;do + echo starting... + if [ -e /certs/$DOMAIN.pem ]; then + certbot \ + certonly \ + --test-cert \ + --webroot -w /webroot \ + -d $DOMAIN \ + --email $EMAIL \ + --non-interactive \ + --agree-tos + + cat_cert $DOMAIN + else + certbot renew -w /webroot + + for dir in /etc/letsencrypt/live/*/; do + cat_cert $(basename "$dir") + done + fi + sleep 12h +done diff --git a/terminaldweller.com/haproxy/docker-compose.yaml b/terminaldweller.com/haproxy/docker-compose.yaml index 95752c8..571fa7c 100644 --- a/terminaldweller.com/haproxy/docker-compose.yaml +++ b/terminaldweller.com/haproxy/docker-compose.yaml @@ -1,12 +1,43 @@ -version: "3.4" +version: "3.4" services: haproxy: image: haproxy ports: - "80:80" + - "443:443" volumes: - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro + - ./certs:/usr/local/etc/certs:ro networks: - haproxynet + restart: unless-stopped + certbot: + image: certbot + build: + context: ./certbot + ports: + - "127.0.0.1:9080:80" + - "127.0.0.1:9443:443" + networks: + - haproxynet + # restart: unless-stopped + volumes: + - ./letsencrypt:/etc/letsencrypt + - ./webroot:/webroot + - ./certs:/certs + # command: ["certonly","--test-cert","--webroot","-w","/webroot","-d","chat.terminaldweller.com","--email","thabogre@gmail.com","--non-interactive","--agree-tos"] + entrypoint: ["/certbot-entrypoint.sh"] + environment: + - DOMAIN=chat.terminaldweller.com + - EMAIL=thabogre@gmail.com + nginx: + image: nginx + ports: + - "127.0.0.1:8080:80" + networks: + - haproxynet + restart: unless-stopped + volumes: + - ./webroot:/usr/share/nginx/html networks: - - haproxynet + haproxynet: diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg index 19e7bac..f1c288e 100644 --- a/terminaldweller.com/haproxy/haproxy.cfg +++ b/terminaldweller.com/haproxy/haproxy.cfg @@ -1,60 +1,77 @@ global -log 127.0.0.1 local0 + log 127.0.0.1 local0 + ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL defaults -timeout connect 5000ms -timeout client 50000ms -timeout server 50000ms -mode tcp -option tcplog -option dontlognull + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + mode tcp + option tcplog + option dontlognull + +resolvers docker_resolver + nameserver dns 127.0.0.11:53 #Frontends frontend front -bind *:80 -bind: *.443 -mode tcp -timeout client 60s - -#ACLs -acl blog-host hdr_sub(host) -i blog.terminaldweller.com -acl mail-host hdr_sub(host) -i mail.terminaldweller.com -acl api-host hdr_sub(host) -i api.terminaldweller.com -acl chat-host hdr_sub(host) -i chat.terminaldweller.com -acl chat-host-s req.ssl_sni -i chat.terminaldweller.com - -#Consitions -use_backend blog-backend if blog-host -use_backend mail-backend if mail-host -use_backend api-backend if api-host -use_backend chat-backend-s if chat-host-s -default_backend blog-backend + bind *:80 + bind *:443 + mode tcp + timeout client 60s + #ACLs + acl letsencrypt-acl path_beg /.well-known/acme-challenge/ + acl blog-host hdr_sub(host) -i blog.terminaldweller.com + acl mail-host hdr_sub(host) -i mail.terminaldweller.com + acl mail-host-s req.ssl_sni -i mail.terminaldweller.com + acl api-host hdr_sub(host) -i api.terminaldweller.com + acl chat-host hdr_sub(host) -i chat.terminaldweller.com + acl chat-host-s req.ssl_sni -i chat.terminaldweller.com + #Consitions + use_backend certbot-backend if letsencrypt-acl + use_backend blog-backend if blog-host + use_backend mail-backend if mail-host + use_backend mail-backend-s if mail-host-s + use_backend api-backend if api-host + use_backend chat-backend-s if chat-host-s + default_backend blog-backend #Backends +backend certbot-backend + server nginx nginx:80 resolvers docker_resolver check init-addr none + backend blog-backend -mode http -option forwardfor -server blog-host 192.99.102.52:9000 check + mode http + option forwardfor + server blog-host 192.99.102.52:9000 check backend mail-backend -mode http -option forwardfor -server mail-host 185.126.202.69:80 check + mode http + option forwardfor + server mail-host 185.126.202.69:80 check + +backend mail-backend-s + timeout server 60s + timeout client 60s + mode tcp + option forwardfor + option ssl-hello-chk + server mail-host-s 185.126.202.69:443 check backend api-backend -mode http -option forwardfor -server api-host 192.99.102.52:8008 check + mode http + option forwardfor + server api-host 192.99.102.52:8008 check backend chat-backend -mode http -option forwardfor -server chat-host 87.236.209.206:5280 check + mode http + option forwardfor + server chat-host 87.236.209.206:5280 check backend chat-backend-s -timeout server 60s -timeout client 60s -mode tcp -option forwardfor -option ssl-hello-chk -server chat-host 87.236.209.206:5281 check + timeout server 60s + timeout client 60s + mode tcp + option forwardfor + option ssl-hello-chk + server chat-host-s 87.236.209.206:5280 check |