linux生成ssl证书给haproxy,HAProxy环境下使用letsencrypt申请https证书并配置使用

HAProxy环境下使用letsencrypt申请https证书

操作系统：centos7

先下载certbot-auto工具，此工具是用来申请证书并续期的脚本。

wget

chmod a+x certbot-auto

先申请证书：

使用cerbot-auto不需要修改haproxy.cfg配置文件就可以申请到证书。

停止HAProxy服务

systemctl stop haproxy

获取证书(分两次获取两张证书，每个证书对应两个域名)

./certbot-auto certonly --standalone -d a.yourdomain.com -d c.yourdomain.com

./certbot-auto certonly --standalone -d b.yourdomain.com -d d.yourdomain.com

获取到的证书文件保存在

/etc/letsencrypt/live/a.yourdomain.com里面

启动haproxy服务。

合并证书以便haproxy使用

cd /etc/letsencrypt/live/a.yourdomain.com

cat fullchain.pem privkey.pem >>haproxyyoursitea.pem

cd /etc/letsencrypt/live/b.yourdomain.com

cat fullchain.pem privkey.pem >>haproxyyoursiteb.pem

自动续期(续期没有测试是否可以正常使用)

将下列命令加入 cron 即可：

certbot-auto renew --quiet # CentOS/RHEL

具体文档在：

配置haproxy.cfg文件已使用证书

#---------------------------------------------------------------------

# Example configuration for a possible web application.  See the

# full configuration options online.

#

#

#

#---------------------------------------------------------------------

#---------------------------------------------------------------------

# Global settings

#---------------------------------------------------------------------

global

# to have these messages end up in /var/log/haproxy.log you will

# need to:

#

# 1) configure syslog to accept network log events.  This is done

#    by adding the '-r' option to the SYSLOGD_OPTIONS in

#    /etc/sysconfig/syslog

#

# 2) configure local2 events to go to the /var/log/haproxy.log

#   file. A line like the following can be added to

#   /etc/sysconfig/syslog

#

#    local2.*                       /var/log/haproxy.log

#

log         127.0.0.1 local3 err

log         127.0.0.1 local7 debug

#log         127.0.0.1 local0 info

chroot      /var/lib/haproxy

pidfile     /var/run/haproxy.pid

maxconn     4000

user        haproxy

group       haproxy

#stats bind-process

daemon

nbproc 4

tune.ssl.default-dh-param 2048             #这个一定要添加

crt-base /etc/letsencrypt

#turn on stats unix socket

#stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

#---------------------------------------------------------------------

defaults

mode                    http

log                     global

option                  httplog

option                  dontlognull

option http-server-close

option forwardfor      # except 127.0.0.0/8

option                  redispatch

retries                 3

timeout http-request    10s

timeout queue           1m

timeout connect         10s

timeout client          1m

timeout server          1m

timeout http-keep-alive 10s

timeout check           10s

maxconn                 3000

frontend http-in

bind *:80

option accept-invalid-http-request

acl is_www_yoursitec hdr_end(host) -i yoursitec.yourdomain.com

acl is_www_yoursited hdr_end(host) -i yoursited.yourdomain.com

acl is_www_yoursitea hdr_end(host) -i yoursitea.yourdomain.com

acl is_www_yoursiteb hdr_end(host) -i yoursiteb.yourdomain.com

redirect prefix if is_www_yoursitea    #自动跳转到https

use_backend www_yoursitec if is_www_yoursitec

use_backend www_yoursited if is_www_yoursited

use_backend www_yoursitea if is_www_yoursitea

use_backend www_yoursiteb if is_www_yoursiteb

default_backend www_xianjxx

frontend https

bind *:443 ssl crt /etc/letsencrypt/haproxyyoursitea.pem crt /etc/letsencrypt/haproxyyoursiteb.pem

mode http

reqadd X-Forwarded-Proto:\ https

use_backend www_yoursitea if { ssl_fc_sni yoursitea.yourdomain.com }

use_backend www_yoursitec if { ssl_fc_sni yoursitec.yourdomain.com  }

use_backend www_yoursiteb if { ssl_fc_sni yoursiteb.yourdomain.com  }

use_backend www_yoursited if { ssl_fc_sni yoursited.yourdomain.com  }

default_backend www_yoursitea

backend www_yoursitec

cookie SERVERID insert nocache indirect

option httpchk HEAD /check.txt HTTP/1.0

option httpclose

option forwardfor

server yoursitec 192.168.100.10:80 cookie yoursitec

backend www_yoursited

cookie SERVERID insert nocache indirect

option httpchk HEAD /check.txt HTTP/1.0

option httpclose

option forwardfor

server yoursited 192.168.100.10:80 cookie yoursited

backend www_yoursitea

cookie SERVERID insert nocache indirect

option httpchk HEAD /check.txt HTTP/1.0

option httpclose

option forwardfor

server yoursitea 192.168.100.10:80 cookie yoursitea

backend www_yoursiteb

cookie SERVERID insert nocache indirect

option httpchk HEAD /check.txt HTTP/1.0

option httpclose

option forwardfor

server yoursiteb 192.168.100.10:80 cookie yoursiteb

阅读(1553) | 评论(0) | 转发(0) |