Haproxy

From Bitpost wiki

Most important: continuously check ssllabs

Most important: continuously check to ensure ssllabs gives A+ rating for all sites.

It's important to get a current cipher configuration right.

SSL cert format

Haproxy wants a combined PEM format, with crt and keys included. Typical way: 

cat STAR_equityshift_io.crt > manual_combined.pem 
cat equityshift_io.key >> manual_combined.pem

Config

For working code to get an A+, work on the config, here: 

 đŸŒ” m@bitpost  [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg

It contains a list of all my sites that are currently live.

After changing it, restart it: 

sudo /etc/init.d/haproxy restart

2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2. It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names. certbot script was updated to add them, but it has not recreated certs yet. Check back in February at the latest!

Intro

SSL

Retrieved from "https://bitpost.com/w/index.php?title=Haproxy&oldid=5652"