Hébergement de multiple conteneur sur un seul serveur avec HAProxy.
Liens.
https://blog.ssdnodes.com/blog/linux-containers-lxc-haproxy/
https://gist.github.com/theprojectsomething/83f7a0ab151a2483934fb675a42cc13d#1-updating-the-vps
I/ Serveur Gandi IaaS : hacklab03.
Distribution : Ubuntu 18.04 LTS CPU : 4 RAM : 50 Go
Nom du disque système : sysdiskhl03 Taille : 50 Go Nom (Hostname) : serverhl03 Adresse ipv4 : serveurip Identifiant administrateur : admin
II/ Configuration du serveur.
1/ Connexion sur le serveur.
util01@station02:~$ ssh admin@serveurip admin@217.70.190.39's password: Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64) ... admin@serverhl03:~$
2/ Passage sous l’utilisateur d’administration.
admin@serverhl01:~$ su Password: root@serverhl01:/home/admin#
3/ Activer le sudoers pour l’utilisateur admin.
admin@serverhl03:~$ su - Password: root@serverhl03:~#
root@serverhl03:~# visudo
Chercher :
%admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Remplacer par :
admin ALL=(ALL) ALL # Allow members of group sudo to execute any command sudo ALL=(ALL:ALL) ALL
root@serverhl03:/home/admin# exit admin@serverhl03:~$
4/ Mise-à-jour du système.
admin@serverhl03:~$ sudo apt-get update && sudo apt-get upgrade
5/ Installation des paquets de base.
admin@serverhl03:~$ sudo apt-get install mc vim htop screen iptables ufw
III/ Installation et configuration de ‘lxd’.
1/ Installation des utilitaires ‘zfutils’.
admin@serverhl03:~$ sudo apt install zfsutils-linux
2/ Installation de ‘snapd’.
admin@serverhl03:~$ sudo apt install snapd
3/ Installation de ‘lxd’.
admin@serverhl03:~$ sudo snap install lxd
4/ Mise-à-jour des chemins.
admin@serverhl03:~$ . /etc/profile.d/apps-bin-path.sh
5/ Initialisation de ‘lxd’.
admin@serverhl03:~$ sudo lxd init Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: lxc_pool Name of the storage backend to use (btrfs, ceph, dir, lvm, zfs) [default=zfs]: Create a new ZFS pool? (yes/no) [default=yes]: Would you like to use an existing block device? (yes/no) [default=no]: Size in GB of the new loop device (1GB minimum) [default=15GB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none Would you like LXD to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: admin@serverhl03:~$
6/ Ajout de l’utilisateur ‘admin’ au groupe ‘lxd’.
admin@serverhl03:~$ sudo usermod -aG lxd admin
IV/ Création des conteneurs.
1/ Création du conteur pour ‘HAProxy’.
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 HAProxy Creating HAProxy Starting HAProxy admin@serverhl03:~$
2/ Création des autres conteneurs.
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Discus Creating Discus Starting Discus admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Imagin Creating Imagin Starting Imagin admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Nekrofage Creating Nekrofage Starting Nekrofage admin@serverhl03:~$
admin@serverhl03:~$ sudo lxc launch ubuntu:18.04 Forum Creating Forum Starting Forum admin@serverhl03:~$
3/ Liste des conteneurs.
admin@serverhl03:~$ sudo lxc list +-----------+---------+-----------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-----------------------+------+------------+-----------+ | Discus | RUNNING | 10.156.249.17 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | Forum | RUNNING | 10.156.249.150 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | HAProxy | RUNNING | 10.156.249.147 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | Imagin | RUNNING | 10.156.249.127 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | Nekrofage | RUNNING | 10.156.249.198 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ admin@serverhl03:~$
4/ Récupération du nom de l’interface réseau et de l’adresse ipv4 du serveur.
admin@serverhl03:~$ ifconfig eth0: flags=4163mtu 1500 inet serveurip netmask 255.255.252.0 broadcast 217.70.191.255 inet6 2001:4b98:dc0:41:216:3eff:fe26:5780 prefixlen 64 scopeid 0x0 inet6 fe80::216:3eff:fe26:5780 prefixlen 64 scopeid 0x20 ether 00:16:3e:26:57:80 txqueuelen 1000 (Ethernet) RX packets 257809 bytes 511007466 (511.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 26799 bytes 2603604 (2.6 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ...
5/ Création des régle iptables.
admin@serverhl03:~$ sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 217.70.190.39/32 --dport 80 -j DNAT --to-destination 10.156.249.147:80
admin@serverhl03:~$ sudo iptables -t nat -I PREROUTING -i eth0 -p TCP -d 217.70.190.39/32 --dport 443 -j DNAT --to-destination 10.156.249.147:443
6/ Activiation de la persistance des régles.
admin@serverhl03:~$ sudo apt install iptables-persistent
7/ Réglage du pare-feu.
admin@serverhl03:~$ sudo ufw allow http Rules updated Rules updated (v6) admin@serverhl03:~$
admin@serverhl03:~$ sudo ufw allow https Rules updated Rules updated (v6) admin@serverhl03:~$
admin@serverhl03:~$ sudo ufw allow ssh Rules updated Rules updated (v6) admin@serverhl03:~$
admin@serverhl03:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup admin@serverhl03:~$
V/ Configuration de HAProxy.
1/ Connexion au conteneur ‘HAProxy’.
admin@serverhl03:~$ sudo lxc exec HAProxy -- bash root@HAProxy:~#
2/ Mise-à-jour de la distribution.
root@HAProxy:~# apt-get update && apt-get upgrade
3/ Installation des paquets de base.
root@HAProxy:~# apt install vim screen mc
4/ Installation de ‘haproxy’.
root@HAProxy:~# apt install haproxy
5/ Configuration.
Ouvrir :
/etc/haproxy/haproxy.cfg
Chercher :
# Dans la section ‘global’
daemon
Ajouter après :
maxconn 2048 tune.ssl.default-dh-param 2048
Chercher :
# Dans la section ‘defaults’
option dontlognull
Ajouter après :
option forwardfor option http-server-close
6/ Configuration des conteneurs.
Ouvrir :
/etc/haproxy/haproxy.cfg
Ajouter à la fin :
frontend http_frontend bind *:80 acl web_host1 hdr(host) -i discus.hacklab.fr acl web_host2 hdr(host) -i imagin.hacklab.fr acl web_host3 hdr(host) -i nekrofage.hacklab.fr acl web_host4 hdr(host) -i forum.hacklab.fr use_backend Discus if web_host1 use_backend Imagin if web_host2 use_backend Nekrofage if web_host3 use_backend Forum if web_host4 backend Discus balance leastconn http-request set-header X-Client-IP %[src] server Discus Discus.lxd:80 check backend Imagin balance leastconn http-request set-header X-Client-IP %[src] server Imagin Imagin.lxd:80 check backend Nekrofage balance leastconn http-request set-header X-Client-IP %[src] server Nekrofage Nekrofage.lxd:80 check backend Forum balance leastconn http-request set-header X-Client-IP %[src] server Forum Forum.lxd:80 check
7/ Vérification du fichier de configuration.
root@HAProxy:~# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c Configuration file is valid
8/ Rechargement.
root@HAProxy:~# service haproxy reload
root@HAProxy:~# exit exit admin@serverhl03:~$
VI/ Configuration des autres conteneurs.
1/ Installation de ‘Discus’.
admin@serverhl03:~$ lxc exec Discus -- bash root@Discus:~# apt update && apt upgrade && apt install mc screen vim htop root@Discus:~# exit exit admin@serverhl03:~$
2/ Installation de ‘Imagin’.
admin@serverhl03:~$ lxc exec Imagin -- bash root@Imagin:~# apt update && apt upgrade && apt install mc screen vim htop root@Imagin:~# exit exit admin@serverhl03:~$
3/ Installation de ‘Nekrofage’.
admin@serverhl03:~$ lxc exec Nekrofage -- bash root@Nekrofage:~# apt update && apt upgrade && apt install mc screen vim htop
– Installation de Apache 2.
root@Nekrofage:~# apt install apache2
– Activation de ‘apache2’.
root@Nekrofage:~# systemctl stop apache2.service root@Nekrofage:~# systemctl start apache2.service root@Nekrofage:~# systemctl enable apache2.service
– Modification de la page d’index.
Ouvrir :
/var/www/html/index.html
Chercher :
Apache2 Ubuntu Default Page
Remplacer par :
Nekrofage
root@Nekrofage:~# exit exit admin@serverhl03:~$
4/ Installation de ‘Forum’.
admin@serverhl03:~$ lxc exec Forum -- bash
root@Forum:~# apt update && apt upgrade && apt install mc screen vim htop
– Installation de Apache 2.
root@Forum:~# apt install apache2
– Activation de ‘apache2’.
root@Forum:~# systemctl stop apache2.service root@Forum:~# systemctl start apache2.service root@Forum:~# systemctl enable apache2.service
– Modification de la page d’index.
Ouvrir :
/var/www/html/index.html
Chercher :
Apache2 Ubuntu Default Page
Remplacer par :
Forum
root@Forum:~# exit exit admin@serverhl03:~$
5/ Test
http://nekrofage.hacklab.fr/
http://forum.hacklab.fr/
VII/ Création de snapshot.
1/ Liste des conteneurs.
admin@serverhl03:~$ sudo lxc list [sudo] password for admin: +-----------+---------+-----------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-----------------------+------+------------+-----------+ | Discus | RUNNING | 10.156.249.17 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | Forum | RUNNING | 10.156.249.150 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | HAProxy | RUNNING | 10.156.249.147 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | Imagin | RUNNING | 10.156.249.127 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ | Nekrofage | RUNNING | 10.156.249.198 (eth0) | | PERSISTENT | 0 | +-----------+---------+-----------------------+------+------------+-----------+ admin@serverhl03:~$
2/ Créatin des snapshots des conteneurs.
admin@serverhl03:~$ lxc snapshot Discus Discus_snap0 admin@serverhl03:~$ lxc snapshot Forum Forum_snap0 admin@serverhl03:~$ lxc snapshot HAProxy HAProxy_snap0 admin@serverhl03:~$ lxc snapshot Imagin Imagin_snap0 admin@serverhl03:~$ lxc snapshot Nekrofage Nekrofage_snap0
3/ Liste des conteneurs avec les snapshots.
admin@serverhl03:~$ sudo lxc list +-----------+---------+-----------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-----------------------+------+------------+-----------+ | Discus | RUNNING | 10.156.249.17 (eth0) | | PERSISTENT | 1 | +-----------+---------+-----------------------+------+------------+-----------+ | Forum | RUNNING | 10.156.249.150 (eth0) | | PERSISTENT | 1 | +-----------+---------+-----------------------+------+------------+-----------+ | HAProxy | RUNNING | 10.156.249.147 (eth0) | | PERSISTENT | 1 | +-----------+---------+-----------------------+------+------------+-----------+ | Imagin | RUNNING | 10.156.249.127 (eth0) | | PERSISTENT | 1 | +-----------+---------+-----------------------+------+------------+-----------+ | Nekrofage | RUNNING | 10.156.249.198 (eth0) | | PERSISTENT | 1 | +-----------+---------+-----------------------+------+------------+-----------+ admin@serverhl03:~$
VIII/ Configuration de l’accès ‘ssh’.
1/ Ports ‘ssh’.
Discus : 9017 Forum :9150 HAProxy : 9147 Imagin : 9127 Nekrofage : 9198
2/ Modification du port ‘ssh’.
– Pour le conteneur ‘Discus’.
admin@serverhl03:~$ lxc exec Discus -- bash root@Discus:~#
Ouvrir :
/etc/ssh/sshd_config
Chercher :
# Port 22
Remplacer par :
Port 9017
Action :
service sshd restart
– Pour le conteneur ‘Forum’.
admin@serverhl03:~$ lxc exec Forum -- bash root@Forum:~#
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9150
Action :
service sshd restart
– Pour le conteneur ‘HAProxy’.
admin@serverhl03:~$ lxc exec HAProxy -- bash root@HAProxy:~#
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9150
Action :
service sshd restart
– Pour le conteneur ‘Nekrofage’.
admin@serverhl03:~$ lxc exec Nekrofage -- bash
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9198
Action :
service sshd restart
– Pour le conteneur ‘Imagein’.
admin@serverhl03:~$ lxc exec Imagin -- bash
Ouvrir :
/etc/ssh/sshd_config
Chercher :
#Port 22
Remplacer par :
Port 9150
Action :
service sshd restart
IX/ Pour chaque conteneur, configuration de l’utilisateur non-root ‘administrator’.
1/ Pour le conteneur ‘Nekrofage’.
– Création de l’utilisateur ‘administrator’.
admin@serverhl03:~$ lxc exec Nekrofage -- bash root@Nekrofage:~#
root@Nekrofage:~# adduser administrator root@Nekrofage:~# usermod -aG sudo administrator
root@Nekrofage:~# su administrator
administrator@Nekrofage:/root$ cd administrator@Nekrofage:~$
2/ Ajout d’une clé ‘ssh’ publique.
administrator@Nekrofage:~$ mkdir -p ~/.ssh
Ouvrir :
~/.ssh/authorized_keys
Ajouter :
administrator@Nekrofage:~$ chmod -R go= ~/.ssh administrator@Nekrofage:~$ chown -R administrator:administrator ~/.ssh
administrator@Nekrofage:~$ exit exit root@Nekrofage:~#
root@Nekrofage:~# exit administrator@Nekrofage:/root$
root@Nekrofage:~# exit exit admin@serverhl03:~$
3/ Création de la régle iptable pour ‘ssh’.
Modèle de régle :
iptables -t nat -A PREROUTING -i {interface} -p tcp --dport {container_ssh_port} -j DNAT --to {container_ip}:{container_ssh_port}
admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9017 -j DNAT --to 10.156.249.17:9017 admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9150 -j DNAT --to 10.156.249.150:9150 admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9147 -j DNAT --to 10.156.249.147:9147 admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9127 -j DNAT --to 10.156.249.127:9127 admin@serverhl03:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9198 -j DNAT --to 10.156.249.198:9198
4/ Test.
util01@station02:~$ ssh -p 9198 administrator@217.70.190.39 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-22-generic x86_64) ... administrator@Nekrofage:~$
util01@station02:~$ ssh -p 9017 administrator@217.70.190.39 ... administrator@Discus:~$
util01@station02:~$ ssh -p 9150 administrator@217.70.190.39 ... administrator@Forum:~$
util01@station02:~$ ssh -p 9147 administrator@217.70.190.39 ... administrator@HAProxy:~$
util01@station02:~$ ssh -p 9127 administrator@217.70.190.39 ... administrator@Imagin:~$
5/ Liste des réges ‘iptables’.
admin@serverhl03:~$ sudo iptables -t nat --line-numbers -L [sudo] password for admin: Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- anywhere serverhl03 tcp dpt:https to:10.156.249.147:443 2 DNAT tcp -- anywhere serverhl03 tcp dpt:http to:10.156.249.147:80 3 DNAT tcp -- anywhere anywhere tcp dpt:9198 to:10.156.249.198:9198 4 DNAT tcp -- anywhere anywhere tcp dpt:9198 to:10.156.249.198:9198 5 DNAT tcp -- anywhere anywhere tcp dpt:9017 to:10.156.249.17:9017 6 DNAT tcp -- anywhere anywhere tcp dpt:9150 to:10.156.249.150:9150 7 DNAT tcp -- anywhere anywhere tcp dpt:9147 to:10.156.249.147:9147 8 DNAT tcp -- anywhere anywhere tcp dpt:9127 to:10.156.249.127:9127 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 10.156.249.0/24 !10.156.249.0/24 /* generated for LXD network lxdbr0 */ admin@serverhl03:~$
6/ Sauvegarde des régles ‘iptables’.
admin@serverhl03:~$ sudo su root@serverhl03:/home/admin# iptables-save > /etc/iptables/rules.v4 root@serverhl03:/home/admin# exit exit admin@serverhl03:~$
X/ Installation de ‘Let’s Encrypt’.
1/ Arrêt du serveur ‘haproxy’.
admin@serverhl03:~$ lxc exec HAProxy -- bash root@HAProxy:~#
root@HAProxy:~# service haproxy stop
2/ Installation du dépôt ‘Let’s Encrypt’.
root@HAProxy:~# add-apt-repository ppa:certbot/certbot
3/ Mise-à-jour.
root@HAProxy:~# apt update
4/ Installation de ‘Let’s Encrypt’.
root@HAProxy:~# apt install certbot
5/ Génération du certificat.
root@HAProxy:~# certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): lesanglierdesardennes@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): nekrofage.hacklab.fr, discus.hacklab.fr, imagin.hacklab.fr, forum.hacklab.fr Obtaining a new certificate Performing the following challenges: http-01 challenge for discus.hacklab.fr http-01 challenge for forum.hacklab.fr http-01 challenge for imagin.hacklab.fr http-01 challenge for nekrofage.hacklab.fr Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/discus.hacklab.fr/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/discus.hacklab.fr/privkey.pem Your cert will expire on 2020-01-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@HAProxy:~#
6/ Vérification.
root@HAProxy:~# ls -l /etc/letsencrypt/live total 3 -rw-r--r-- 1 root root 740 Oct 27 10:49 README drwxr-xr-x 2 root root 7 Oct 27 10:56 nekrofage.hacklab.fr root@HAProxy:~#
7/ Génération du certificat ‘Let’s Encryp’.
root@HAProxy:~# mkdir -p /etc/haproxy/certs root@HAProxy:~# cat /etc/letsencrypt/live/nekrofage.hacklab.fr/fullchain.pem /etc/letsencrypt/live/nekrofage.hacklab.fr/privkey.pem > /etc/haproxy/certs/nekrofage.hacklab.fr.pem
8/ Configuration de ‘haproxy’.
Ouvrir :
/etc/haproxy/haproxy.cfg
Ajouter à la fin de ‘frontend http_frontend’ :
frontend www-https bind *:443 ssl crt /etc/haproxy/certs/nekrofage.hacklab.fr.pem reqadd X-Forwarded-Proto:\ https acl web_host3 hdr(host) -i nekrofage.hacklab.fr acl web_host4 hdr(host) -i forum.hacklab.fr use_backend Nekrofage if web_host3 use_backend Forum if web_host4
Chercher :
backend Nekrofage balance leastconn http-request set-header X-Client-IP %[src] server Nekrofage Nekrofage.lxd:80 check
Remplacer par :
backend Nekrofage balance leastconn http-request set-header X-Client-IP %[src] redirect scheme https if !{ ssl_fc } server Nekrofage Nekrofage.lxd:80 check
Chercher :
backend Forum balance leastconn http-request set-header X-Client-IP %[src] server Forum Forum.lxd:80 check
Remplacer par :
backend Forum balance leastconn http-request set-header X-Client-IP %[src] redirect scheme https if !{ ssl_fc } server Forum Forum.lxd:80 check
9/ Vérification de la configuration.
root@HAProxy:~# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c Configuration file is valid root@HAProxy:~#
10/ Démarrer ‘haproxy’.
root@HAProxy:~# service haproxy start
11/ Test
https://nekrofage.hacklab.fr/
https://forum.hacklab.fr/
12/ Renouvellement du certificat.
root@HAProxy:~# service haproxy stop root@HAProxy:~# certbot renew root@HAProxy:~# rm /etc/haproxy/certs/nekrofage.hacklab.fr.pem root@HAProxy:~# cat /etc/letsencrypt/live/nekrofage.hacklab.fr/fullchain.pem /etc/letsencrypt/live/nekrofage.hacklab.fr/privkey.pem > /etc/haproxy/certs/nekrofage.hacklab.fr.pem root@HAProxy:~# service haproxy start
Comments are closed, but trackbacks and pingbacks are open.