Setup HAproxy and use LetsEncrypt
We’re going to use HAproxy to perform SSL termination which will then “reverse proxy” to our web server using a (free) SSL Certificate from LetsEncrypt.
Installation
CentOS/RHEL
Installing HAproxy + certbot:
$ sudo yum install -y epel-release
$ sudo yum install -y haproxy certbot
Opening the firewall:
$ sudo firewall-cmd --permanent --add-port=80/tcp
$ sudo firewall-cmd --permanent --add-port=443/tcp
$ sudo firewall-cmd --reload
Debian/Ubuntu
Installing HAproxy + certbot:
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install -y haproxy certbot
Opening the firewall:
$ sudo ufw allow http
$ sudo ufw allow https
Generating SSL Certificate using certbot
We’ll use the certbot command line tool to generate our ssl certificate for us. certbot is a command line interface to Let’sEncrypt.org’s API service. Generate certificate:
$ certbot certonly -d mydomain.com -d www.mydomain.com
Once our certificate has been generated it will live under:
$ ls -la /etc/letsencrypt/live/mydomain.com
Configuring HAproxy
/etc/haproxy/haproxy.cfg
frontend
bind *:80
bind *:443 ssl crt /etc/letsencrypt/live/yourdomain.com/all.pem
use_backend www
backend www
server node1 127.0.0.1:81 check # we will set nginx to listen on port 81