HAProxy环境下使用letsencrypt申请https证书
操作系统:centos7
先下载certbot-auto工具,此工具是用来申请证书并续期的脚本。
wget
chmod a+x certbot-auto
先申请证书:
使用cerbot-auto不需要修改haproxy.cfg配置文件就可以申请到证书。
停止HAProxy服务
systemctl stop haproxy
获取证书(分两次获取两张证书,每个证书对应两个域名)
./certbot-auto certonly --standalone -d a.yourdomain.com -d c.yourdomain.com
./certbot-auto certonly --standalone -d b.yourdomain.com -d d.yourdomain.com
获取到的证书文件保存在
/etc/letsencrypt/live/a.yourdomain.com里面
启动haproxy服务。
合并证书以便haproxy使用
cd /etc/letsencrypt/live/a.yourdomain.com
cat fullchain.pem privkey.pem >>haproxyyoursitea.pem
cd /etc/letsencrypt/live/b.yourdomain.com
cat fullchain.pem privkey.pem >>haproxyyoursiteb.pem
自动续期(续期没有测试是否可以正常使用)
将下列命令加入 cron 即可:
certbot-auto renew --quiet # CentOS/RHEL
具体文档在:
配置haproxy.cfg文件已使用证书
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
#
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local3 err
log 127.0.0.1 local7 debug
#log 127.0.0.1 local0 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
#stats bind-process
daemon
nbproc 4
tune.ssl.default-dh-param 2048 #这个一定要添加
crt-base /etc/letsencrypt
#turn on stats unix socket
#stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor # except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend http-in
bind *:80
option accept-invalid-http-request
acl is_www_yoursitec hdr_end(host) -i yoursitec.yourdomain.com
acl is_www_yoursited hdr_end(host) -i yoursited.yourdomain.com
acl is_www_yoursitea hdr_end(host) -i yoursitea.yourdomain.com
acl is_www_yoursiteb hdr_end(host) -i yoursiteb.yourdomain.com
redirect prefix if is_www_yoursitea #自动跳转到https
use_backend www_yoursitec if is_www_yoursitec
use_backend www_yoursited if is_www_yoursited
use_backend www_yoursitea if is_www_yoursitea
use_backend www_yoursiteb if is_www_yoursiteb
default_backend www_xianjxx
frontend https
bind *:443 ssl crt /etc/letsencrypt/haproxyyoursitea.pem crt /etc/letsencrypt/haproxyyoursiteb.pem
mode http
reqadd X-Forwarded-Proto:\ https
use_backend www_yoursitea if { ssl_fc_sni yoursitea.yourdomain.com }
use_backend www_yoursitec if { ssl_fc_sni yoursitec.yourdomain.com }
use_backend www_yoursiteb if { ssl_fc_sni yoursiteb.yourdomain.com }
use_backend www_yoursited if { ssl_fc_sni yoursited.yourdomain.com }
default_backend www_yoursitea
backend www_yoursitec
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server yoursitec 192.168.100.10:80 cookie yoursitec
backend www_yoursited
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server yoursited 192.168.100.10:80 cookie yoursited
backend www_yoursitea
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server yoursitea 192.168.100.10:80 cookie yoursitea
backend www_yoursiteb
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server yoursiteb 192.168.100.10:80 cookie yoursiteb