Install HAProxy & CertBot (LetsEncrypt)
Install HAProxy
Install HAProxy v2.4 with the following commands:
sudo add-apt-repository -y ppa:vbernat/haproxy-2.4
sudo apt update
sudo install -y haproxyEdit the HAProxy configuration with this command:
sudo nano /etc/haproxy/haproxy.cfgInside the configuration, leave the global and defaults section as they are but add a frontend for stats and normal web access:
frontend stats
bind *:8080
stats enable
stats uri /
stats refresh 10s
stats show-modules
no log
stats auth admin:<admin password>
stats admin if TRUE
frontend http_fe
bind *:80
bind *:443 ssl crt /etc/ssl/private
# Test URI to see if it's a LetsEncrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend certbot_be if letsencrypt-acl
# The following redirect for non-https traffic breaks if used with Cloudflare Flexible Encryption
redirect scheme https code 301 if !{ ssl_fc }
# <Name of website or any comment - Create these lines for every domain/backend>
acl <acl_name> hdr_beg(host) -i <domain_prefix>.
use_backend <backend_name> if <acl_name>
default_backend <default_backend_name>
# <Name of the website or any comment - Create this section for every domain/backend>
backend <backend_name>
balance roundrobin
option httpchk HEAD /
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default-server check maxconn 20
server <server_name> <server_ip>:<server_port>
backend certbot_be
server certbot 127.0.0.1:8888Here's an example using an Ignition Server running on 192.168.120.10 using a domain name beginning with scada. for internet access:
frontend stats
bind *:8080
stats enable
stats uri /
stats refresh 10s
stats show-modules
no log
stats auth admin:<admin password>
stats admin if TRUE
frontend http_fe
bind *:80
bind *:443 ssl crt /etc/ssl/private
# Test URI to see if it's a LetsEncrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend certbot_be if letsencrypt-acl
# Block phpMyAdmin access
acl block-phpMyAdmin path_beg,url_dec -i /phpmyadmin
http-request deny if block-phpMyAdmin
# The following redirect for non-https traffic breaks if used with Cloudflare Flexible Encryption
redirect scheme https code 301 if !{ ssl_fc }
# Ignition
acl scada hdr_beg(host) -i scada.
use_backend ignition_be if scada
default_backend fake_be
# Ignition
backend ignition_be
balance roundrobin
option httpchk HEAD /
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default-server check maxconn 20
server iguana 192.168.120.10:8088
backend fake_be
balance roundrobin
option httpchk HEAD /
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default-server check maxconn 20
server iguana 192.168.120.11:80
backend certbot_be
server certbot 127.0.0.1:8888Upgrade HAProxy
If you ever need to upgrade the version to a newer version, check the following site to see if the newer version exists:
https://launchpad.net/~vbernat/+ppa-packages
If it does, use the above commands substituting in the appropriate version to add the newer version's repository and upgrade HAProxy. Once HAProxy is upgraded and verified working, use the following command to remove the old version (again substituting the old version number):
sudo add-apt-repository --remove ppa:vbernat/haproxy-2.3Install CertBot (LetsEncrypt)
Install Certbot with the following commands:
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt update
sudo apt install -y certbot