Deploy Free SSL with HAproxy and LetsEncrypt
Setup HAproxy and use LetsEncrypt
We’re going to use HAproxy to perform SSL termination which will then “reverse proxy” to our web server using a (free) SSL Certificate from LetsEncrypt.
Installation
CentOS/RHEL
Installing HAproxy + certbot:
$ sudo yum install -y epel-release
$ sudo yum install -y haproxy certbot
Opening the firewall:
$ sudo firewall-cmd --permanent --add-port=80/tcp
$ sudo firewall-cmd --permanent --add-port=443/tcp
$ sudo firewall-cmd --reload
Debian/Ubuntu
Installing HAproxy + certbot:
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install -y haproxy certbot
Opening the firewall:
$ sudo ufw allow http
$ sudo ufw allow https
Generating SSL Certificate using certbot
We’ll use the certbot command line tool to generate our ssl certificate for us. certbot is a command line interface to Let’sEncrypt.org’s API service. Generate certificate:
$ certbot certonly -d mydomain.com -d www.mydomain.com
Once our certificate has been generated it will live under:
$ ls -la /etc/letsencrypt/live/mydomain.com
Configuring HAproxy
/etc/haproxy/haproxy.cfg
frontend
bind *:80
bind *:443 ssl crt /etc/letsencrypt/live/yourdomain.com/all.pem
use_backend www
backend www
server node1 127.0.0.1:81 check # we will set nginx to listen on port 81