HAProxy Rocky verschlüsselt: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
| Zeile 41: | Zeile 41: | ||
frontend fe_https | frontend fe_https | ||
bind 192.168.178.6:443 ssl crt /etc/haproxy/certs/haproxy.pem | bind 192.168.178.6:443 ssl crt /etc/haproxy/certs/haproxy.pem | ||
| + | #Aktivieren von HSTS | ||
| + | #http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
default_backend be_target | default_backend be_target | ||
| Zeile 46: | Zeile 48: | ||
bind 192.168.178.6:80 | bind 192.168.178.6:80 | ||
redirect scheme https code 301 if !{ ssl_fc } | redirect scheme https code 301 if !{ ssl_fc } | ||
| + | |||
| + | http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
| + | |||
backend be_target | backend be_target | ||
server srv1 192.168.178.7:80 check | server srv1 192.168.178.7:80 check | ||
| + | #oder an das Backend verschlüsselt | ||
| + | #backend be_target | ||
| + | # server srv1 192.168.178.7:443 ssl verify none | ||
| + | |||
</pre> | </pre> | ||
Aktuelle Version vom 2. Dezember 2025, 21:25 Uhr
HAProxy Reverse Proxy mit HTTPS (privkey.pem + fullchain.pem)
Voraussetzungen
- Rocky Linux
- HAProxy installiert
- Zertifikatsdateien:
- /etc/haproxy/certs/privkey.pem
- /etc/haproxy/certs/fullchain.pem
- Reverse Proxy Ziel: 192.168.178.7 Port 80
Zertifikat zusammenführen
- mkdir -p /etc/haproxy/certs
- cat fullchain.pem privkey.pem > /etc/haproxy/certs/haproxy.pem
- chmod 600 /etc/haproxy/certs/haproxy.pem
- chown haproxy:haproxy /etc/haproxy/certs/haproxy.pem
Firewall freischalten
- firewall-cmd --add-service=https --permanent
- firewall-cmd --reload
HAProxy-Konfiguration
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
frontend fe_https
bind 192.168.178.6:443 ssl crt /etc/haproxy/certs/haproxy.pem
#Aktivieren von HSTS
#http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
default_backend be_target
frontend fe_http
bind 192.168.178.6:80
redirect scheme https code 301 if !{ ssl_fc }
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
backend be_target
server srv1 192.168.178.7:80 check
#oder an das Backend verschlüsselt
#backend be_target
# server srv1 192.168.178.7:443 ssl verify none
Dienst neu starten
- systemctl restart haproxy
- systemctl enable haproxy
- systemctl status haproxy
Funktionstest
- curl -vk https://192.168.178.6/
- curl -vk https://haproxy1.it213.int/