Grav CMS System(4)Multiple Domain Sites in HAProxy and HTTPS

sillycat

浏览: 2539279 次
性别:
来自: 成都

最近访客更多访客>>

huageng520

learnmore

u012363178

ymgjava

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

Scripts
PHP

Grav CMS System(4)Multiple Domain Sites in HAProxy and HTTPS

Follow
https://www.jianshu.com/p/907eec663cf1

Free SSL Org https://letsencrypt.org/
Tool to generate key https://certbot.eff.org/

Install Certbot on CentOS
> sudo yum install certbot

Install Certbot on Ubuntu
> sudo apt-get update
> sudo apt-get install software-properties-common
> sudo add-apt-repository ppa:certbot/certbot
> sudo apt-get update
> sudo apt-get install certbot

Install that on RaspberryPi
> wget https://dl.eff.org/certbot-auto
> sudo chmod a+x certbot-auto
> sudo mv certbot-auto /usr/local/bin/

Verify the installation
> certbot -h

Or
> certbot-auto -h

Set Up HAProxy proxy to our 8081 NGINX PHP Grav Application
https://seanmcgary.com/posts/haproxy---route-by-domain-name/
These configuration in nginx will work haproxy.conf

global
    maxconn     400

defaults
    mode     http
    timeout connect         30000
    timeout client          50000
    timeout server          50000

    stats enable
    stats hide-version
    stats uri     /stats
    stats auth    admin:admin

frontend http-in
    bind :80
    default_backend grav-web

backend grav-web
    balance leastconn
    option httpclose
    cookie JSESSIONID prefix
    server grav-web1 192.168.1.108:8081 cookie A check

listen scrapyd
    bind     *:6800
    mode    tcp
    balance roundrobin
    server scrapyd1 192.168.1.108:6801 check
    server scrapyd2 192.168.1.108:6802 check

With Multiple domains and ACLs
First of all, I start a static web site at port 8082

Here is the multiple nodes binding configuration haproxy.conf
global
    maxconn     400

defaults
    mode     http
    timeout connect         30000
    timeout client          50000
    timeout server          50000

    stats enable
    stats hide-version
    stats uri     /stats
    stats auth    admin:admin

frontend http-in
    bind :80
    acl host_sillycathome hdr(host) -i sillycat.ddnshome.net
    acl host_sillycat hdr(host) -i sillycat.ddns.net
    acl host_kikokanghome hdr(host) -i kikokang.ddnshome.net
    acl host_kikokang hdr(host) -i kikokang.ddns.net

    use_backend grav-web if host_sillycathome
    use_backend grav-web if host_sillycat
    use_backend static-web if host_kikokanghome
    use_backend static-web if host_kikokang

backend grav-web
    balance leastconn
    option httpclose
    cookie JSESSIONID prefix
    server grav-web1 192.168.1.108:8081 cookie A check

backend static-web
    balance leastconn
    option httpclose
    cookie JSESSIONID prefix
    server static-web1 192.168.1.108:8082 cookie A check

listen scrapyd
    bind     *:6800
    mode    tcp
    balance roundrobin
    server scrapyd1 192.168.1.108:6801 check
    server scrapyd2 192.168.1.108:6802 check

Generate Keys
Webroot Mode
> sudo certbot-auto certonly --webroot -w /home/carl/work/html -d sillycat.ddns.net --agree-tos --email luohuazju@gmail.com

If everything goes well, it will generate the keys here
Your certificate and chain have been saved at:
   /etc/letsencrypt/live/kikokang.ddns.net/fullchain.pem
Your key file has been saved at:
   /etc/letsencrypt/live/kikokang.ddns.net/privkey.pem

Standalone Mode
> sudo certbot-auto certonly --standalone -d sillycat.ddns.net --agree-tos --email luohuazju@gmail.com

The similar thing, it saves
Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sillycat.ddns.net/fullchain.pem
Your key file has been saved at:
   /etc/letsencrypt/live/sillycat.ddns.net/privkey.pem

In the docs, in nginx, it will be similar to
Listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/sillycat.ddns.net/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/sillycat.ddns.net/privkey.pem

Configure HTTPS in HAProxy
https://www.ilanni.com/?p=10641

Merge the files and keys for 2 domain.
> cat kiko.pem kiko_key.pem | tee kikokangname.pem
> cat sillycat.pem sillycat_key.pem | tee sillycatname.pem

Exception in HAProxy
2018-11-14T06:06:46.233312600Z [ALERT] 317/060646 (8) : parsing [conf/haproxy.conf:24] : error detected in frontend 'webapp' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.

Solution:
When compile, we need enable SSL
https://stackoverflow.com/questions/25520526/centos-6-5-haproxy-fatal-error
>make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1

Here is the changes in Dockerfile
ADD        conf/kikokangname.pem /tool/haproxy-1.8.14/conf/
ADD        conf/sillycatname.pem /tool/haproxy-1.8.14/conf/

#start the application
EXPOSE 6800
EXPOSE 80
EXPOSE 443

Here is the changes in Makefile to expose more ports
run:
    docker run -d -p 80:80 -p 443:443 -p 6800:6800 --name $(NAME) $(IMAGE):$(TAG)

debug:
    docker run -ti -p 80:80 -p 443:443 -p 6800:6800 --name $(NAME) $(IMAGE):$(TAG) /bin/bash

Here is the HTTPS configuration in HAProxy in haproxy.conf
frontend webapp
    bind :80

    acl host_sillycat hdr(host) -i sillycat.ddns.net
    redirect scheme https if !{ ssl_fc }
    bind :443 ssl crt /tool/haproxy-1.8.14/conf/sillycatname.pem

    acl host_kikokang hdr(host) -i kikokang.ddns.net
    redirect scheme https if !{ ssl_fc }
    bind :443 ssl crt /tool/haproxy-1.8.14/conf/kikokangname.pem

Then we can visit the page
https://sillycat.ddns.net
https://kikokang.ddns.net

References:
https://seanmcgary.com/posts/haproxy---route-by-domain-name/
http://seanmcgary.com/posts/using-sslhttps-with-haproxy/
https://www.jianshu.com/p/907eec663cf1
http://blog.51cto.com/11538244/1912152

分享到：

Grav CMS System(5)Multiple Domains and C ... | Grav CMS System(3)Docker Nginx and PHP

2018-11-14 21:33
浏览 570
评论(0)
分类:企业架构
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论