Haproxy: Difference between revisions
(Created page with "[https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro]") |
No edit summary |
||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro] | ==== Most important: continuously check ssllabs ==== | ||
Most important: continuously check to ensure [https://www.ssllabs.com/ssltest ssllabs] gives A+ rating for all sites. | |||
It's important to get a current [https://cipherli.st/ cipher configuration] right. | |||
==== SSL cert format ==== | |||
Haproxy wants a combined PEM format, with crt and keys included. Typical way: | |||
cat STAR_equityshift_io.crt > manual_combined.pem | |||
cat equityshift_io.key >> manual_combined.pem | |||
==== Config ==== | |||
For working code to get an A+, work on the config, here: | |||
🌵 m@bitpost [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg | |||
It contains a list of all my sites that are currently live. | |||
After changing it, restart it: | |||
sudo /etc/init.d/haproxy restart | |||
2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2. It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names. certbot script was updated to add them, but it has not recreated certs yet. Check back in February at the latest! | |||
==== [https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro] ==== | |||
==== [https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04 SSL] ==== | |||
Latest revision as of 16:56, 10 January 2020
Most important: continuously check ssllabs
Most important: continuously check to ensure ssllabs gives A+ rating for all sites.
It's important to get a current cipher configuration right.
SSL cert format
Haproxy wants a combined PEM format, with crt and keys included. Typical way:
cat STAR_equityshift_io.crt > manual_combined.pem cat equityshift_io.key >> manual_combined.pem
Config
For working code to get an A+, work on the config, here:
🌵 m@bitpost [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg
It contains a list of all my sites that are currently live.
After changing it, restart it:
sudo /etc/init.d/haproxy restart
2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2. It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names. certbot script was updated to add them, but it has not recreated certs yet. Check back in February at the latest!