воскресенье, 8 декабря 2019 г.

Using LXC/LXD Containers with HAProxy

LetsEncrypt с HAProxy
Using LXC/LXD Containers with HAProxy
Hosting multiple websites with containers and HAProxy
How to set up multiple secure (SSL/TLS, Qualys SSL Labs A+) websites using LXD containers
Обслуживание нескольких сайтов с помощью Nginx, HAProxy и LXD в Ubuntu 16.04
How to manage Let's Encrypt SSL/TLS certificates with certbot
Let's Encrypt: подстановочный сертификат с Certbot
Подстановочный сертификат Letsencrypt и запись GoDaddy _acme-challenge

Для  godaddy.com




$ lxc launch ubuntu:18.04 web1
$ lxc exec web1 -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
$ sudo nano /var/www/html/index.html
Изменить строку 224
It works web1!
Сохранить.
$ sudo systemctl enable apache2
$ sudo systemctl start apache2

$ exit
$ curl 10.91.211.18 | grep web1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10923  100 10923    0     0  2666k      0 --:--:-- --:--:-- --:--:-- 2666k
          It works web1!
===============================================================
$ lxc launch ubuntu:18.04 web2
$ lxc exec web2 -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
$ sudo nano /var/www/html/index.html
Изменить строку 224
It works web2!
Сохранить.
$ sudo systemctl enable apache2
$ sudo systemctl start apache2
$ exit
$ curl 10.91.211.77 | grep web2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10923  100 10923    0     0  3555k      0 --:--:-- --:--:-- --:--:-- 3555k
          It works web2!
===============================================================
$ lxc launch ubuntu:18.04 gitlab
$ lxc launch ubuntu:18.04 haproxy

$ lxc list



Using LXC/LXD Containers with HAProxy
$ lxc launch ubuntu:18.04 haproxy
$ lxc config device add haproxy myport80 proxy listen=tcp:0.0.0.0:80 connect=tcp:localhost:80
#$ lxc config device remove haproxy myport80 
$ lxc config device add haproxy myport443 proxy listen=tcp:0.0.0.0:443 connect=tcp:localhost:443
#$ lxc config device remove haproxy myport443
$ lxc exec haproxy -- sudo --user ubuntu --login
$ sudo apt update && sudo apt upgrade
$ sudo apt install haproxy
$ sudo systemctl enable haproxy
$ sudo systemctl start haproxy
$ sudo nano /etc/hosts
Добавить
10.91.211.18 web1.lxd
10.91.211.77 web2.lxd
10.91.211.176 gitlab.lxd 
Сохранить.
$ sudo nano /etc/haproxy/haproxy.cfg

Заменить:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

#ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
#tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

#frontend www-https
#bind *:443 ssl crt /etc/letsencrypt/live/example.com/example.com.pem
#reqadd X-Forwarded-Proto:\ https

#acl host_web1 hdr(host) -i web1.example.com
#acl host_web2 hdr(host) -i web2.example.com

#use_backend subdomain1 if host_web1
#use_backend subdomain2 if host_web2

frontend http_frontend
bind *:80

acl web_host1 hdr(host) -i web1.example.com
acl web_host2 hdr(host) -i web2.example.com

use_backend subdomain1 if web_host1
use_backend subdomain2 if web_host2

backend subdomain1
balance leastconn
http-request set-header X-Client-IP %[src]
#redirect scheme https if !{ ssl_fc }
server web1 web1.lxd:80 check

Сохранить.

$ sudo systemctl restart haproxy

Установим Wildcard Certificates
вручную:

$ sudo add-apt-repository -y ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install -y certbot
$ sudo systemctl stop haproxy

$ sudo certbot certonly --manual --preferred-challenges dns-01 -d *.example.com
Можно было бы  включить не только поддомены, но и сам домен:
#$ sudo certbot certonly --manual --preferred-challenges dns-01 -d *.example.com -d example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com
with the following value:

kkjwKk4CieIWeMUZLGwuoizp1TA7linPuQ8GNMqLLy4

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue


Для  godaddy.com



Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-03-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


$ sudo - i

root@haproxy:~# cd /etc/letsencrypt/live/example.com
root@haproxy:~# cat fullchain.pem privkey.pem > example.com.pem

$ sudo nano /etc/haproxy/haproxy.cfg

Раскомментируем относящееся к https
Сохранить.

$ exit

Отключим http:
На хосте:

$ lxc config device remove haproxy myport80

$ sudo reboot  

$ sudo systemctl start haproxy

$ lxc file pull haproxy/etc/haproxy/haproxy.cfg .

=================================
Настроим  gitlab

$ lxc exec gitlab -- sudo --user ubuntu --login
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install mc
$ sudo dpkg-reconfigure locales
$ sudo dpkg-reconfigure tzdata
$ sudo dpkg-reconfigure keyboard-configuration
$ sudo apt install -y postfix
$ curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
$ sudo EXTERNAL_URL="http://gitlab.lxd" apt-get install gitlab-ee

https://gitlab.example.com
Ввести пароль для root не менее 8 символов
Зайти.
Запретить регистрацию.

#$ sudo gitlab-ctl stop

Backup gitlab

$ mkdir /home/user/backup

$ nano backup_gitlab_lxd.sh

#!/usr/bin/env bash
set -ex
lxc stop gitlab
BACKUP_DIR=/home/user/backup
#HOSTS=$(lxc list -c n --format csv)
HOSTS=gitlab
for HOST in ${HOSTS}

do
    BACKUP_NAME=${HOST}-$(date +"%Y-%m-%d")

    lxc snapshot ${HOST} auto-backup
    lxc publish ${HOST}/auto-backup --alias ${BACKUP_NAME}
    #lxc image export ${BACKUP_NAME} ${BACKUP_DIR}/${BACKUP_NAME}.tar.gz
    lxc image export ${BACKUP_NAME} ${BACKUP_DIR}/${BACKUP_NAME}
    lxc image delete ${BACKUP_NAME}
    lxc delete ${HOST}/auto-backup
done
lxc start gitlab

Сохранить.

$ crontab -e

# m h  dom mon dow   command
00 5 * * * sh /home/user/backup_gitlab_lxd.sh

Восстановление на другом компьютере:

$ lxc image import gitlab-2019-12-16.tar.gz --alias gitlab-backup
$ lxc launch gitlab-backup gitlab
$ lxc image delete gitlab-backup


Комментариев нет:

Отправить комментарий