LetsEncrypt с HAProxy
Using LXC/LXD Containers with HAProxy
Hosting multiple websites with containers and HAProxy
How to set up multiple secure (SSL/TLS, Qualys SSL Labs A+) websites using LXD containers
Обслуживание нескольких сайтов с помощью Nginx, HAProxy и LXD в Ubuntu 16.04
How to manage Let's Encrypt SSL/TLS certificates with certbot
Let's Encrypt: подстановочный сертификат с Certbot
Подстановочный сертификат Letsencrypt и запись GoDaddy _acme-challenge
Для godaddy.com
$ lxc launch ubuntu:18.04 web1
$ lxc exec web1 -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
$ sudo nano /var/www/html/index.html
Изменить строку 224
It works web1!
Сохранить.
$ sudo systemctl enable apache2
$ sudo systemctl start apache2
$ exit
$ curl 10.91.211.18 | grep web1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10923 100 10923 0 0 2666k 0 --:--:-- --:--:-- --:--:-- 2666k
It works web1!
===============================================================
$ lxc launch ubuntu:18.04 web2
$ lxc exec web2 -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
$ sudo nano /var/www/html/index.html
Изменить строку 224
It works web2!
Сохранить.
$ sudo systemctl enable apache2
$ sudo systemctl start apache2
$ exit
$ curl 10.91.211.77 | grep web2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10923 100 10923 0 0 3555k 0 --:--:-- --:--:-- --:--:-- 3555k
It works web2!
===============================================================
$ lxc launch ubuntu:18.04 gitlab
$ lxc launch ubuntu:18.04 haproxy
$ lxc list
Using LXC/LXD Containers with HAProxy
$ lxc launch ubuntu:18.04 haproxy
$ lxc config device add haproxy myport80 proxy listen=tcp:0.0.0.0:80 connect=tcp:localhost:80
#$ lxc config device remove haproxy myport80
$ lxc config device add haproxy myport443 proxy listen=tcp:0.0.0.0:443 connect=tcp:localhost:443
#$ lxc config device remove haproxy myport443
$ lxc exec haproxy -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install haproxy
$ sudo systemctl enable haproxy
$ sudo systemctl start haproxy
$ sudo nano /etc/hosts
Добавить
10.91.211.18 web1.lxd
10.91.211.77 web2.lxd
10.91.211.176 gitlab.lxd
Сохранить.
$ sudo nano /etc/haproxy/haproxy.cfg
Заменить:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
#ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
#tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#frontend www-https
#bind *:443 ssl crt /etc/letsencrypt/live/example.com/example.com.pem
#reqadd X-Forwarded-Proto:\ https
#acl host_web1 hdr(host) -i web1.example.com
#acl host_web2 hdr(host) -i web2.example.com
#use_backend subdomain1 if host_web1
#use_backend subdomain2 if host_web2
frontend http_frontend
bind *:80
acl web_host1 hdr(host) -i web1.example.com
acl web_host2 hdr(host) -i web2.example.com
use_backend subdomain1 if web_host1
use_backend subdomain2 if web_host2
backend subdomain1
balance leastconn
http-request set-header X-Client-IP %[src]
#redirect scheme https if !{ ssl_fc }
server web1 web1.lxd:80 check
Сохранить.
$ sudo systemctl restart haproxy
Установим Wildcard Certificates
вручную:
$ sudo add-apt-repository -y ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install -y certbot
$ sudo systemctl stop haproxy
$ sudo certbot certonly --manual --preferred-challenges dns-01 -d *.example.com
Можно было бы включить не только поддомены, но и сам домен:
#$ sudo certbot certonly --manual --preferred-challenges dns-01 -d *.example.com -d example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com
with the following value:
kkjwKk4CieIWeMUZLGwuoizp1TA7linPuQ8GNMqLLy4
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Для godaddy.com
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-03-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo - i
root@haproxy:~# cd /etc/letsencrypt/live/example.com
root@haproxy:~# cat fullchain.pem privkey.pem > example.com.pem
$ sudo nano /etc/haproxy/haproxy.cfg
Раскомментируем относящееся к https
Сохранить.
$ exit
Отключим http:
На хосте:
$ lxc config device remove haproxy myport80
$ sudo reboot
$ sudo systemctl start haproxy
$ lxc file pull haproxy/etc/haproxy/haproxy.cfg .
=================================
Настроим gitlab
$ lxc exec gitlab -- sudo --user ubuntu --login
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install mc
$ sudo dpkg-reconfigure locales
$ sudo dpkg-reconfigure tzdata
$ sudo dpkg-reconfigure keyboard-configuration
$ sudo apt install -y postfix
$ curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
$ sudo EXTERNAL_URL="http://gitlab.lxd" apt-get install gitlab-ee
https://gitlab.example.com
Ввести пароль для root не менее 8 символов
Зайти.
Запретить регистрацию.
#$ sudo gitlab-ctl stop
Backup gitlab
$ mkdir /home/user/backup
$ nano backup_gitlab_lxd.sh
#!/usr/bin/env bash
set -ex
lxc stop gitlab
BACKUP_DIR=/home/user/backup
#HOSTS=$(lxc list -c n --format csv)
HOSTS=gitlab
for HOST in ${HOSTS}
do
BACKUP_NAME=${HOST}-$(date +"%Y-%m-%d")
lxc snapshot ${HOST} auto-backup
lxc publish ${HOST}/auto-backup --alias ${BACKUP_NAME}
#lxc image export ${BACKUP_NAME} ${BACKUP_DIR}/${BACKUP_NAME}.tar.gz
lxc image export ${BACKUP_NAME} ${BACKUP_DIR}/${BACKUP_NAME}
lxc image delete ${BACKUP_NAME}
lxc delete ${HOST}/auto-backup
done
lxc start gitlab
Сохранить.
$ crontab -e
# m h dom mon dow command
00 5 * * * sh /home/user/backup_gitlab_lxd.sh
Восстановление на другом компьютере:
$ lxc image import gitlab-2019-12-16.tar.gz --alias gitlab-backup
$ lxc launch gitlab-backup gitlab
$ lxc image delete gitlab-backup
Using LXC/LXD Containers with HAProxy
Hosting multiple websites with containers and HAProxy
How to set up multiple secure (SSL/TLS, Qualys SSL Labs A+) websites using LXD containers
Обслуживание нескольких сайтов с помощью Nginx, HAProxy и LXD в Ubuntu 16.04
How to manage Let's Encrypt SSL/TLS certificates with certbot
Let's Encrypt: подстановочный сертификат с Certbot
Подстановочный сертификат Letsencrypt и запись GoDaddy _acme-challenge
Для godaddy.com
$ lxc launch ubuntu:18.04 web1
$ lxc exec web1 -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
$ sudo nano /var/www/html/index.html
Изменить строку 224
It works web1!
Сохранить.
$ sudo systemctl enable apache2
$ sudo systemctl start apache2
$ exit
$ curl 10.91.211.18 | grep web1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10923 100 10923 0 0 2666k 0 --:--:-- --:--:-- --:--:-- 2666k
It works web1!
===============================================================
$ lxc launch ubuntu:18.04 web2
$ lxc exec web2 -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
$ sudo nano /var/www/html/index.html
Изменить строку 224
It works web2!
Сохранить.
$ sudo systemctl enable apache2
$ sudo systemctl start apache2
$ exit
$ curl 10.91.211.77 | grep web2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10923 100 10923 0 0 3555k 0 --:--:-- --:--:-- --:--:-- 3555k
It works web2!
===============================================================
$ lxc launch ubuntu:18.04 gitlab
$ lxc launch ubuntu:18.04 haproxy
$ lxc list
Using LXC/LXD Containers with HAProxy
$ lxc launch ubuntu:18.04 haproxy
$ lxc config device add haproxy myport80 proxy listen=tcp:0.0.0.0:80 connect=tcp:localhost:80
#$ lxc config device remove haproxy myport80
$ lxc config device add haproxy myport443 proxy listen=tcp:0.0.0.0:443 connect=tcp:localhost:443
#$ lxc config device remove haproxy myport443
$ lxc exec haproxy -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install haproxy
$ sudo systemctl enable haproxy
$ sudo systemctl start haproxy
$ sudo nano /etc/hosts
Добавить
10.91.211.18 web1.lxd
10.91.211.77 web2.lxd
10.91.211.176 gitlab.lxd
Сохранить.
$ sudo nano /etc/haproxy/haproxy.cfg
Заменить:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
#ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
#tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#frontend www-https
#bind *:443 ssl crt /etc/letsencrypt/live/example.com/example.com.pem
#reqadd X-Forwarded-Proto:\ https
#acl host_web1 hdr(host) -i web1.example.com
#acl host_web2 hdr(host) -i web2.example.com
#use_backend subdomain1 if host_web1
#use_backend subdomain2 if host_web2
frontend http_frontend
bind *:80
acl web_host1 hdr(host) -i web1.example.com
acl web_host2 hdr(host) -i web2.example.com
use_backend subdomain1 if web_host1
use_backend subdomain2 if web_host2
backend subdomain1
balance leastconn
http-request set-header X-Client-IP %[src]
#redirect scheme https if !{ ssl_fc }
server web1 web1.lxd:80 check
Сохранить.
$ sudo systemctl restart haproxy
Установим Wildcard Certificates
вручную:
$ sudo add-apt-repository -y ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install -y certbot
$ sudo systemctl stop haproxy
$ sudo certbot certonly --manual --preferred-challenges dns-01 -d *.example.com
Можно было бы включить не только поддомены, но и сам домен:
#$ sudo certbot certonly --manual --preferred-challenges dns-01 -d *.example.com -d example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com
with the following value:
kkjwKk4CieIWeMUZLGwuoizp1TA7linPuQ8GNMqLLy4
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Для godaddy.com
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-03-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo - i
root@haproxy:~# cd /etc/letsencrypt/live/example.com
root@haproxy:~# cat fullchain.pem privkey.pem > example.com.pem
$ sudo nano /etc/haproxy/haproxy.cfg
Раскомментируем относящееся к https
Сохранить.
$ exit
Отключим http:
На хосте:
$ lxc config device remove haproxy myport80
$ sudo reboot
$ sudo systemctl start haproxy
$ lxc file pull haproxy/etc/haproxy/haproxy.cfg .
=================================
Настроим gitlab
$ lxc exec gitlab -- sudo --user ubuntu --login
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install mc
$ sudo dpkg-reconfigure locales
$ sudo dpkg-reconfigure tzdata
$ sudo dpkg-reconfigure keyboard-configuration
$ sudo apt install -y postfix
$ curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
$ sudo EXTERNAL_URL="http://gitlab.lxd" apt-get install gitlab-ee
https://gitlab.example.com
Ввести пароль для root не менее 8 символов
Зайти.
Запретить регистрацию.
#$ sudo gitlab-ctl stop
Backup gitlab
$ mkdir /home/user/backup
$ nano backup_gitlab_lxd.sh
#!/usr/bin/env bash
set -ex
lxc stop gitlab
BACKUP_DIR=/home/user/backup
#HOSTS=$(lxc list -c n --format csv)
HOSTS=gitlab
for HOST in ${HOSTS}
do
BACKUP_NAME=${HOST}-$(date +"%Y-%m-%d")
lxc snapshot ${HOST} auto-backup
lxc publish ${HOST}/auto-backup --alias ${BACKUP_NAME}
#lxc image export ${BACKUP_NAME} ${BACKUP_DIR}/${BACKUP_NAME}.tar.gz
lxc image export ${BACKUP_NAME} ${BACKUP_DIR}/${BACKUP_NAME}
lxc image delete ${BACKUP_NAME}
lxc delete ${HOST}/auto-backup
done
lxc start gitlab
Сохранить.
$ crontab -e
# m h dom mon dow command
00 5 * * * sh /home/user/backup_gitlab_lxd.sh
Восстановление на другом компьютере:
$ lxc image import gitlab-2019-12-16.tar.gz --alias gitlab-backup
$ lxc launch gitlab-backup gitlab
$ lxc image delete gitlab-backup
Комментариев нет:
Отправить комментарий