Install HAProxy & CertBot (LetsEncrypt)
Install HAProxy
Install HAProxy v2.4 with the following commands:
sudo add-apt-repository -y ppa:vbernat/haproxy-2.4
sudo apt update
sudo install -y haproxyInstall WhoIs with the following command:
sudo apt install whoisGenerate an encrypted password for accessing the statistics with the following command:
echo <password> | mkpasswd --stdin --method=sha-256Edit the HAProxy configuration with this command:
sudo nano /etc/haproxy/haproxy.cfgInside the configuration, leave the global and defaults section as they are but add a frontend for stats and normal web access:
userlist StatsUsers
        user <username> password <salted_password>
frontend http_fe
        bind *:80
        bind *:443 ssl crt /etc/ssl/private
		# Capture additional/longer info for logs
		http-request capture req.hdr(Host) len 30
		capture request header User-Agent len 200
		capture request header Referer len 800
		capture request header X-Forwarded-For len 20
        # Test URI to see if it's a LetsEncrypt request
        acl letsencrypt_acl path_beg /.well-known/acme-challenge/
        use_backend certbot_be if letsencrypt_acl
		# The following redirect for non-https traffic breaks if used with Cloudflare Flexible Encryption
        redirect scheme https code 301 if !{ ssl_fc }
		# Local Stats
		acl stats_acl hdr_beg(host) -i hastats.
		acl stats_auth http_auth(StatsUsers)
        http-request auth realm Stats if stats_acl !stats_auth
		use_backend stats_be if stats_acl stats_auth
		# Common Redirects
		acl <redirect_acl_name> hdr_beg(host) -i <domain_prefix>
		http-request redirect location <url> if <redirect_acl_name>
		# <Name of website or any comment - Create these lines for every domain/backend>
        acl <acl_name> hdr_beg(host) -i <domain_prefix>.
        use_backend <backend_name> if <acl_name>
        default_backend <default_backend_name>
# <Name of the website or any comment - Create this section for every domain/backend>
backend <backend_name>
        balance roundrobin
        option httpchk HEAD /
        option forwardfor
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        
        default-server check maxconn 20
        server <server_name> <server_ip>:<server_port>
# Local stats
backend stats_be
		stats enable
		stats uri /
		stats refresh 10s
		stats show-modules
		no log
# Certbot for LetsEncrypt
backend certbot_be
        server certbot 127.0.0.1:8888Here's an example using an Ignition Server running on 192.168.120.10 using a domain name beginning with scada. for internet access:
frontend stats
        bind *:8080
        stats enable
        stats uri /
        stats refresh 10s
        stats show-modules
        no log
        stats auth admin:<admin password>
        stats admin if TRUE
frontend http_fe
		bind *:80
		bind *:443 ssl crt /etc/ssl/private
		# Test URI to see if it's a LetsEncrypt request
		acl letsencrypt-acl path_beg /.well-known/acme-challenge/
		use_backend certbot_be if letsencrypt-acl
		# Block phpMyAdmin access
        acl block-phpMyAdmin path_beg,url_dec -i /phpmyadmin
        http-request deny if block-phpMyAdmin
		# Ignition Perspective Redirect to Project URL
        acl scada hdr_beg(host) -i scada.
        http-request redirect location https://ignition.icstexas.com/data/perspective/client/ProjectName if scada
		# The following redirect for non-https traffic breaks if used with Cloudflare Flexible Encryption
		redirect scheme https code 301 if !{ ssl_fc }
		# Ignition
		acl ignition hdr_beg(host) -i ignition.
		use_backend ignition_be if ignition
		default_backend fake_be
# Ignition
backend ignition_be
		balance roundrobin
		option httpchk HEAD /
		acl ignition_ping path_beg -i /main/StatusPing
		http-request set-path /StatusPing if ignition_ping
		option forwardfor
		http-request set-header Connection "Upgrade"
		http-request set-header X-Forwarded-Port %[dst_port]
		http-request set-header X-Forwarded-Proto https if { ssl_fc }
        
		default-server check maxconn 1000
		server iguana 192.168.120.10:8088 check inter 10s
backend fake_be
		balance roundrobin
		option httpchk HEAD /
		option forwardfor
		http-request set-header X-Forwarded-Port %[dst_port]
		http-request set-header X-Forwarded-Proto https if { ssl_fc }
        
		default-server check maxconn 20
		server iguana 192.168.120.11:80
backend certbot_be
        server certbot 127.0.0.1:8888Upgrade HAProxy
If you ever need to upgrade the version to a newer version, check the following site to see if the newer version exists:
https://launchpad.net/~vbernat/+ppa-packages
If it does, use the above commands substituting in the appropriate version to add the newer version's repository and upgrade HAProxy. Once HAProxy is upgraded and verified working, use the following command to remove the old version (again substituting the old version number):
sudo add-apt-repository --remove ppa:vbernat/haproxy-2.3Install CertBot (LetsEncrypt)
Install Certbot with the following commands:
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt update
sudo apt install -y certbot
