Haproxy: Difference between revisions

From Bitpost wiki
No edit summary
No edit summary
Line 1: Line 1:
[https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro]
==== Most important: check to ensure [https://www.ssllabs.com/ssltest ssllabs] continuously gives A+ rating ====


[https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04 SSL]
It's important to get a current [https://cipherli.st/ cipher configuration] right.
 
[https://cipherli.st/ Cipher configuration] for [https://www.ssllabs.com/ssltest ssl labs] A rating
 
For working code to get an A+, see bitpost.com:/etc/haproxy/haproxy.cfg


==== Config ====
==== Config ====
Config is here:
For working code to get an A+, work on the config, here:
   🌵 m@bitpost  [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg  
   🌵 m@bitpost  [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg  
After changing it, restart it:
After changing it, restart it:
  sudo /etc/init.d/haproxy restart
  sudo /etc/init.d/haproxy restart
2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2.  It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names.  certbot script was updated to add them, but it has not recreated certs yet.  Check back in February at the latest!
2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2.  It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names.  certbot script was updated to add them, but it has not recreated certs yet.  Check back in February at the latest!
==== [https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro] ====
==== [https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04 SSL] ====

Revision as of 02:02, 9 December 2019

Most important: check to ensure ssllabs continuously gives A+ rating

It's important to get a current cipher configuration right.

Config

For working code to get an A+, work on the config, here:

 🌵 m@bitpost  [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg 

After changing it, restart it:

sudo /etc/init.d/haproxy restart

2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2. It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names. certbot script was updated to add them, but it has not recreated certs yet. Check back in February at the latest!

Intro

SSL