HAProxy Rocky verschlüsselt

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

HAProxy Reverse Proxy mit HTTPS (privkey.pem + fullchain.pem)

Voraussetzungen

  • Rocky Linux
  • HAProxy installiert
  • Zertifikatsdateien:
    • /etc/haproxy/certs/privkey.pem
    • /etc/haproxy/certs/fullchain.pem
  • Reverse Proxy Ziel: 192.168.178.7 Port 80

Zertifikat zusammenführen

  • mkdir -p /etc/haproxy/certs
  • cat fullchain.pem privkey.pem > /etc/haproxy/certs/haproxy.pem
  • chmod 600 /etc/haproxy/certs/haproxy.pem
  • chown haproxy:haproxy /etc/haproxy/certs/haproxy.pem

Firewall freischalten

  • firewall-cmd --add-service=https --permanent
  • firewall-cmd --reload

HAProxy-Konfiguration

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5s
    timeout client  50s
    timeout server  50s

frontend fe_https
    bind 192.168.178.6:443 ssl crt /etc/haproxy/certs/haproxy.pem
    #Aktivieren von HSTS
    #http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    default_backend be_target

frontend fe_http
    bind 192.168.178.6:80
    redirect scheme https code 301 if !{ ssl_fc }

    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


backend be_target
    server srv1 192.168.178.7:80 check
#oder an das Backend verschlüsselt
#backend be_target
#    server srv1 192.168.178.7:443 ssl verify none

Dienst neu starten

  • systemctl restart haproxy
  • systemctl enable haproxy
  • systemctl status haproxy

Funktionstest

Abgerufen von „http://wiki.ixheim.de/index.php?title=HAProxy_Rocky_verschlüsselt&oldid=65976