Hébergement de multiple conteneur sur un seul serveur avec HAProxy

Hébergement de multiple conteneur sur un seul serveur avec HAProxy.

Liens.

https://blog.ssdnodes.com/blog/linux-containers-lxc-haproxy/
https://gist.github.com/theprojectsomething/83f7a0ab151a2483934fb675a42cc13d#1-updating-the-vps

<3>I/ Serveur Gandi IaaS : hacklab03.

Distribution : Ubuntu 18.04 LTS
CPU : 4
RAM : 50 Go
Nom du disque système : sysdiskhl03
Taille : 50 Go
Nom (Hostname) : serverhl03
Adresse ipv4 : serveurip
Identifiant administrateur : admin

II/ Configuration du serveur.

1/ Connexion sur le serveur.

util01@station02:~$ ssh admin@serveurip
admin@217.70.190.39's password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
...
admin@serverhl03:~$ 

2/ Passage sous l’utilisateur d’administration.

admin@serverhl01:~$ su
Password: 
root@serverhl01:/home/admin# 

3/ Activer le sudoers pour l’utilisateur admin.

admin@serverhl03:~$ su - 
Password: 
root@serverhl03:~# 
root@serverhl03:~# visudo

Chercher :

%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo    ALL=(ALL:ALL) ALL

Remplacer par :

admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
sudo    ALL=(ALL:ALL) ALL
root@serverhl03:/home/admin# exit
admin@serverhl03:~$ 

4/ Mise-à-jour du système.

admin@serverhl03:~$ sudo apt-get update && sudo apt-get upgrade

5/ Installation des paquets de base.

admin@serverhl03:~$ sudo apt-get install mc vim htop screen iptables ufw

III/ Installation et configuration de ‘lxd’.

1/ Installation des utilitaires ‘zfutils’.

admin@serverhl03:~$ sudo apt install zfsutils-linux

2/ Installation de ‘snapd’.

admin@serverhl03:~$ sudo apt install snapd

3/ Installation de ‘lxd’.

admin@serverhl03:~$ sudo snap install lxd

4/ Mise-à-jour des chemins.

admin@serverhl03:~$ . /etc/profile.d/apps-bin-path.sh

5/ Initialisation de ‘lxd’.

admin@serverhl03:~$ sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: lxc_pool
Name of the storage backend to use (btrfs, ceph, dir, lvm, zfs) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=15GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
admin@serverhl03:~$ 

6/ Ajout de l’utilisateur ‘admin’ au groupe ‘lxd’.

admin@serverhl03:~$ sudo usermod -aG lxd admin

IV/ Création des conteneurs.

1/ Création du conteur pour ‘HAProxy’.

admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 HAProxy
Creating HAProxy
Starting HAProxy                             
admin@serverhl03:~$ 

2/ Création des autres conteneurs.

admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Discus
Creating Discus
Starting Discus
admin@serverhl03:~$ 
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Imagin
Creating Imagin
Starting Imagin
admin@serverhl03:~$ 
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Nekrofage
Creating Nekrofage
Starting Nekrofage
admin@serverhl03:~$  
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Forum
Creating Forum
Starting Forum
admin@serverhl03:~$ 

3/ Liste des conteneurs.

admin@serverhl03:~$ sudo lxc list
+-----------+---------+-----------------------+------+------------+-----------+
|   NAME    |  STATE  |         IPV4          | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| Discus    | RUNNING | 10.156.249.17 (eth0)  |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| Forum     | RUNNING | 10.156.249.150 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| HAProxy   | RUNNING | 10.156.249.147 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| Imagin    | RUNNING | 10.156.249.127 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| Nekrofage | RUNNING | 10.156.249.198 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
admin@serverhl03:~$ 

4/ Récupération du nom de l’interface réseau et de l’adresse ipv4 du serveur.

admin@serverhl03:~$ ifconfig
eth0: flags=4163  mtu 1500
        inet serveurip netmask 255.255.252.0  broadcast 217.70.191.255
        inet6 2001:4b98:dc0:41:216:3eff:fe26:5780  prefixlen 64  scopeid 0x0
        inet6 fe80::216:3eff:fe26:5780  prefixlen 64  scopeid 0x20
        ether 00:16:3e:26:57:80  txqueuelen 1000  (Ethernet)
        RX packets 257809  bytes 511007466 (511.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26799  bytes 2603604 (2.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...

5/ Création des régle iptables.

admin@serverhl03:~$ sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 217.70.190.39/32 --dport 80 -j DNAT --to-destination 10.156.249.147:80
admin@serverhl03:~$ sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 217.70.190.39/32 --dport 443 -j DNAT --to-destination 10.156.249.147:443

6/ Activiation de la persistance des régles.

admin@serverhl03:~$ sudo apt install iptables-persistent

7/ Réglage du pare-feu.

admin@serverhl03:~$ sudo ufw allow http
Rules updated
Rules updated (v6)
admin@serverhl03:~$ 
admin@serverhl03:~$ sudo ufw allow https
Rules updated
Rules updated (v6)
admin@serverhl03:~$ 
admin@serverhl03:~$ sudo ufw allow ssh
Rules updated
Rules updated (v6)
admin@serverhl03:~$ 
admin@serverhl03:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
admin@serverhl03:~$ 

V/ Configuration de HAProxy.

1/ Connexion au conteneur ‘HAProxy’.

admin@serverhl03:~$ sudo lxc exec HAProxy -- bash
root@HAProxy:~# 

2/ Mise-à-jour de la distribution.

root@HAProxy:~# apt-get update && apt-get upgrade

3/ Installation des paquets de base.

root@HAProxy:~# apt install vim screen mc 

4/ Installation de ‘haproxy’.

root@HAProxy:~# apt install haproxy

5/ Configuration.

Ouvrir :

/etc/haproxy/haproxy.cfg

Chercher :
# Dans la section ‘global’

       daemon

Ajouter après :

       maxconn 2048
       tune.ssl.default-dh-param 2048

Chercher :
# Dans la section ‘defaults’

        option  dontlognull

Ajouter après :

        option  forwardfor
        option  http-server-close

6/ Configuration des conteneurs.

Ouvrir :

/etc/haproxy/haproxy.cfg

Ajouter à la fin :

frontend http_frontend
    bind *:80
    
    acl web_host1 hdr(host) -i discus.hacklab.fr
    acl web_host2 hdr(host) -i imagin.hacklab.fr
    acl web_host3 hdr(host) -i nekrofage.hacklab.fr
    acl web_host4 hdr(host) -i forum.hacklab.fr
 
    use_backend Discus if web_host1
    use_backend Imagin if web_host2
    use_backend Nekrofage if web_host3
    use_backend Forum if web_host4
    
backend Discus
    balance leastconn
    http-request set-header X-Client-IP %[src]
    server Discus Discus.lxd:80 check

backend Imagin
    balance leastconn
    http-request set-header X-Client-IP %[src]
    server Imagin Imagin.lxd:80 check

backend Nekrofage
    balance leastconn
    http-request set-header X-Client-IP %[src]
    server Nekrofage Nekrofage.lxd:80 check

backend Forum
    balance leastconn
    http-request set-header X-Client-IP %[src]
    server Forum Forum.lxd:80 check

7/ Vérification du fichier de configuration.

root@HAProxy:~# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid

8/ Rechargement.

root@HAProxy:~# service haproxy reload
root@HAProxy:~# exit
exit
admin@serverhl03:~$ 

VI/ Configuration des autres conteneurs.

1/ Installation de ‘Discus’.

admin@serverhl03:~$ lxc exec Discus -- bash
root@Discus:~# apt update && apt upgrade && apt install mc screen vim htop
root@Discus:~# exit
exit
admin@serverhl03:~$ 

2/ Installation de ‘Imagin’.

admin@serverhl03:~$ lxc exec Imagin -- bash
root@Imagin:~# apt update && apt upgrade && apt install mc screen vim htop
root@Imagin:~# exit
exit
admin@serverhl03:~$ 

3/ Installation de ‘Nekrofage’.

admin@serverhl03:~$ lxc exec Nekrofage -- bash
root@Nekrofage:~# apt update && apt upgrade && apt install mc screen vim htop

– Installation de Apache 2.

root@Nekrofage:~# apt install apache2

– Activation de ‘apache2’.

root@Nekrofage:~# systemctl stop apache2.service 
root@Nekrofage:~# systemctl start apache2.service 
root@Nekrofage:~# systemctl enable apache2.service

– Modification de la page d’index.

Ouvrir :

/var/www/html/index.html

Chercher :

Apache2 Ubuntu Default Page

Remplacer par :

Nekrofage
root@Nekrofage:~# exit
exit
admin@serverhl03:~$ 

4/ Installation de ‘Forum’.

admin@serverhl03:~$ lxc exec Forum -- bash
root@Forum:~# apt update && apt upgrade && apt install mc screen vim htop

– Installation de Apache 2.

root@Forum:~# apt install apache2

– Activation de ‘apache2’.

root@Forum:~# systemctl stop apache2.service 
root@Forum:~# systemctl start apache2.service 
root@Forum:~# systemctl enable apache2.service

– Modification de la page d’index.

Ouvrir :

/var/www/html/index.html

Chercher :

Apache2 Ubuntu Default Page

Remplacer par :

Forum
root@Forum:~# exit
exit
admin@serverhl03:~$ 

5/ Test

http://nekrofage.hacklab.fr/
http://forum.hacklab.fr/

VII/ Création de snapshot.

1/ Liste des conteneurs.

admin@serverhl03:~$ sudo lxc list
[sudo] password for admin: 
+-----------+---------+-----------------------+------+------------+-----------+
|   NAME    |  STATE  |         IPV4          | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| Discus    | RUNNING | 10.156.249.17 (eth0)  |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| Forum     | RUNNING | 10.156.249.150 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| HAProxy   | RUNNING | 10.156.249.147 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| Imagin    | RUNNING | 10.156.249.127 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
| Nekrofage | RUNNING | 10.156.249.198 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-----------------------+------+------------+-----------+
admin@serverhl03:~$

2/ Créatin des snapshots des conteneurs.

admin@serverhl03:~$ lxc snapshot Discus Discus_snap0
admin@serverhl03:~$ lxc snapshot Forum Forum_snap0
admin@serverhl03:~$ lxc snapshot HAProxy HAProxy_snap0
admin@serverhl03:~$ lxc snapshot Imagin Imagin_snap0
admin@serverhl03:~$ lxc snapshot Nekrofage Nekrofage_snap0

3/ Liste des conteneurs avec les snapshots.

admin@serverhl03:~$ sudo lxc list
+-----------+---------+-----------------------+------+------------+-----------+
|   NAME    |  STATE  |         IPV4          | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| Discus    | RUNNING | 10.156.249.17 (eth0)  |      | PERSISTENT | 1         |
+-----------+---------+-----------------------+------+------------+-----------+
| Forum     | RUNNING | 10.156.249.150 (eth0) |      | PERSISTENT | 1         |
+-----------+---------+-----------------------+------+------------+-----------+
| HAProxy   | RUNNING | 10.156.249.147 (eth0) |      | PERSISTENT | 1         |
+-----------+---------+-----------------------+------+------------+-----------+
| Imagin    | RUNNING | 10.156.249.127 (eth0) |      | PERSISTENT | 1         |
+-----------+---------+-----------------------+------+------------+-----------+
| Nekrofage | RUNNING | 10.156.249.198 (eth0) |      | PERSISTENT | 1         |
+-----------+---------+-----------------------+------+------------+-----------+
admin@serverhl03:~$ 

VIII/ Configuration de l’accès ‘ssh’.

1/ Ports ‘ssh’.

Discus : 9017
Forum :9150
HAProxy : 9147
Imagin : 9127
Nekrofage : 9198

2/ Modification du port ‘ssh’.

– Pour le conteneur ‘Discus’.

admin@serverhl03:~$ lxc exec Discus -- bash
root@Discus:~# 

Ouvrir :

/etc/ssh/sshd_config

Chercher :

#   Port 22

Remplacer par :

Port 9017

Action :

service sshd restart

– Pour le conteneur ‘Forum’.

admin@serverhl03:~$ lxc exec Forum -- bash
root@Forum:~#

Ouvrir :

/etc/ssh/sshd_config

Chercher :

#Port 22

Remplacer par :

Port 9150

Action :

service sshd restart

– Pour le conteneur ‘HAProxy’.

admin@serverhl03:~$ lxc exec HAProxy -- bash
root@HAProxy:~# 

Ouvrir :

/etc/ssh/sshd_config

Chercher :

#Port 22

Remplacer par :

Port 9150

Action :

service sshd restart

– Pour le conteneur ‘Nekrofage’.

admin@serverhl03:~$ lxc exec Nekrofage -- bash

Ouvrir :

/etc/ssh/sshd_config

Chercher :

#Port 22

Remplacer par :

Port 9198

Action :

service sshd restart

– Pour le conteneur ‘Imagein’.

admin@serverhl03:~$ lxc exec Imagin -- bash

Ouvrir :

/etc/ssh/sshd_config

Chercher :

#Port 22

Remplacer par :

Port 9150

Action :

service sshd restart

IX/ Pour chaque conteneur, configuration de l’utilisateur non-root ‘administrator’.

1/ Pour le conteneur ‘Nekrofage’.

– Création de l’utilisateur ‘administrator’.

admin@serverhl03:~$ lxc exec Nekrofage -- bash
root@Nekrofage:~# 
root@Nekrofage:~# adduser administrator
root@Nekrofage:~# usermod -aG sudo administrator
root@Nekrofage:~# su administrator
administrator@Nekrofage:/root$ cd
administrator@Nekrofage:~$ 

2/ Ajout d’une clé ‘ssh’ publique.

administrator@Nekrofage:~$ mkdir -p ~/.ssh

Ouvrir :

 ~/.ssh/authorized_keys

Ajouter :

administrator@Nekrofage:~$ chmod -R go= ~/.ssh
administrator@Nekrofage:~$ chown -R administrator:administrator ~/.ssh
administrator@Nekrofage:~$ exit
exit
root@Nekrofage:~# 
root@Nekrofage:~# exit
administrator@Nekrofage:/root$
root@Nekrofage:~# exit
exit
admin@serverhl03:~$ 

3/ Création de la régle iptable pour ‘ssh’.

Modèle de régle :

iptables -t nat -A PREROUTING -i {interface} -p tcp --dport {container_ssh_port} -j DNAT --to {container_ip}:{container_ssh_port}
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9017 -j DNAT --to 10.156.249.17:9017
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9150 -j DNAT --to 10.156.249.150:9150
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9147 -j DNAT --to 10.156.249.147:9147
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9127 -j DNAT --to 10.156.249.127:9127 
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9198 -j DNAT --to 10.156.249.198:9198

4/ Test.

util01@station02:~$ ssh -p 9198 administrator@217.70.190.39
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-22-generic x86_64)
...
administrator@Nekrofage:~$ 
util01@station02:~$ ssh -p 9017 administrator@217.70.190.39
...
administrator@Discus:~$ 
util01@station02:~$ ssh -p 9150 administrator@217.70.190.39
...
administrator@Forum:~$ 
util01@station02:~$ ssh -p 9147 administrator@217.70.190.39
...
administrator@HAProxy:~$
util01@station02:~$ ssh -p 9127 administrator@217.70.190.39
...
administrator@Imagin:~$ 

5/ Liste des réges ‘iptables’.

admin@serverhl03:~$ sudo iptables -t nat --line-numbers -L
[sudo] password for admin: 
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DNAT       tcp  --  anywhere             serverhl03           tcp dpt:https to:10.156.249.147:443
2    DNAT       tcp  --  anywhere             serverhl03           tcp dpt:http to:10.156.249.147:80
3    DNAT       tcp  --  anywhere             anywhere             tcp dpt:9198 to:10.156.249.198:9198
4    DNAT       tcp  --  anywhere             anywhere             tcp dpt:9198 to:10.156.249.198:9198
5    DNAT       tcp  --  anywhere             anywhere             tcp dpt:9017 to:10.156.249.17:9017
6    DNAT       tcp  --  anywhere             anywhere             tcp dpt:9150 to:10.156.249.150:9150
7    DNAT       tcp  --  anywhere             anywhere             tcp dpt:9147 to:10.156.249.147:9147
8    DNAT       tcp  --  anywhere             anywhere             tcp dpt:9127 to:10.156.249.127:9127

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  10.156.249.0/24     !10.156.249.0/24      /* generated for LXD network lxdbr0 */
admin@serverhl03:~$ 

6/ Sauvegarde des régles ‘iptables’.

admin@serverhl03:~$ sudo su
root@serverhl03:/home/admin# iptables-save > /etc/iptables/rules.v4
root@serverhl03:/home/admin# exit
exit
admin@serverhl03:~$ 

X/ Installation de ‘Let’s Encrypt’.

1/ Arrêt du serveur ‘haproxy’.

admin@serverhl03:~$ lxc exec HAProxy -- bash
root@HAProxy:~# 
root@HAProxy:~# service haproxy stop

2/ Installation du dépôt ‘Let’s Encrypt’.

root@HAProxy:~# add-apt-repository ppa:certbot/certbot

3/ Mise-à-jour.

root@HAProxy:~# apt update

4/ Installation de ‘Let’s Encrypt’.

root@HAProxy:~# apt install certbot

5/ Génération du certificat.

root@HAProxy:~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): lesanglierdesardennes@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): nekrofage.hacklab.fr, discus.hacklab.fr, imagin.hacklab.fr, forum.hacklab.fr
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for discus.hacklab.fr
http-01 challenge for forum.hacklab.fr
http-01 challenge for imagin.hacklab.fr
http-01 challenge for nekrofage.hacklab.fr
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/discus.hacklab.fr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/discus.hacklab.fr/privkey.pem
   Your cert will expire on 2020-01-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@HAProxy:~# 

6/ Vérification.

root@HAProxy:~# ls -l /etc/letsencrypt/live
total 3
-rw-r--r-- 1 root root 740 Oct 27 10:49 README
drwxr-xr-x 2 root root   7 Oct 27 10:56 nekrofage.hacklab.fr
root@HAProxy:~# 

7/ Génération du certificat ‘Let’s Encryp’.

root@HAProxy:~# mkdir -p /etc/haproxy/certs
root@HAProxy:~# cat /etc/letsencrypt/live/nekrofage.hacklab.fr/fullchain.pem /etc/letsencrypt/live/nekrofage.hacklab.fr/privkey.pem > /etc/haproxy/certs/nekrofage.hacklab.fr.pem

8/ Configuration de ‘haproxy’.

Ouvrir :

/etc/haproxy/haproxy.cfg

Ajouter à la fin de ‘frontend http_frontend’ :

frontend www-https
    bind *:443 ssl crt /etc/haproxy/certs/nekrofage.hacklab.fr.pem
    reqadd X-Forwarded-Proto:\ https

    acl web_host3 hdr(host) -i nekrofage.hacklab.fr
    acl web_host4 hdr(host) -i forum.hacklab.fr

    use_backend Nekrofage if web_host3
    use_backend Forum if web_host4

Chercher :

backend Nekrofage
    balance leastconn
    http-request set-header X-Client-IP %[src]
    server Nekrofage Nekrofage.lxd:80 check

Remplacer par :

backend Nekrofage
    balance leastconn
    http-request set-header X-Client-IP %[src]
    redirect scheme https if !{ ssl_fc }
    server Nekrofage Nekrofage.lxd:80 check

Chercher :

backend Forum
    balance leastconn
    http-request set-header X-Client-IP %[src]
    server Forum Forum.lxd:80 check

Remplacer par :

backend Forum
    balance leastconn
    http-request set-header X-Client-IP %[src]
    redirect scheme https if !{ ssl_fc }
    server Forum Forum.lxd:80 check

9/ Vérification de la configuration.

root@HAProxy:~# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
root@HAProxy:~# 

10/ Démarrer ‘haproxy’.

root@HAProxy:~# service haproxy start

11/ Test

https://nekrofage.hacklab.fr/
https://forum.hacklab.fr/

12/ Renouvellement du certificat.

root@HAProxy:~# service haproxy stop
root@HAProxy:~# certbot renew
root@HAProxy:~# rm /etc/haproxy/certs/nekrofage.hacklab.fr.pem
root@HAProxy:~# cat /etc/letsencrypt/live/nekrofage.hacklab.fr/fullchain.pem /etc/letsencrypt/live/nekrofage.hacklab.fr/privkey.pem > /etc/haproxy/certs/nekrofage.hacklab.fr.pem
root@HAProxy:~# service haproxy start
octobre 27, 2019