Script to install containerized haproxy with letsencrypt cert
- TLSv1.3 only
- ocsp
- hsts
- caa policy
- ip blocking
- geo blocking
- rate limiting
- cache
- letsencrypt
https://www.ssllabs.com/ssltest/
-
Debian 12
-
git
-
docker
-
A domain name configured with dns record type A pointing to your WAN IP. For example:
Domain WAN IP example.dev 142.250.203.110 sub1.example.dev 142.250.203.110 sub2.example.dev 142.250.203.110 -
(optional) CAA dns record pointing to letsencrypt.org. For example:
Domain letsencrypt domain example.dev letsencrypt.org sub1.example.dev letsencrypt.org sub2.example.dev letsencrypt.org -
On your router: port forwarding for http port 80 and https port 443 and letsencrypt port 8443 to your debian server.
cp usr/local/etc/certbot/conf/example-conf.yml usr/local/etc/certbot/conf/conf.yml- Edit usr/local/etc/certbot/conf/conf.yml
cp usr/local/etc/haproxy/example-haproxy.cfg usr/local/etc/haproxy/haproxy.cfg- Edit usr/local/etc/haproxy/haproxy.cfg
docker build -t haproxy-img -f Dockerfile . && \
docker run --rm --name haproxy \
-it \
-p 7777:7777 \
-p 80:80 \
-p 443:443 \
-p 8443:8443 \
haproxy-imgCopy the certs, dh-key to local:
docker cp haproxy:/usr/local/etc/haproxy/dhparams.pem /home/$USER/git/haproxy-script/usr/local/etc/haproxy
docker cp haproxy:/usr/local/etc/haproxy/certs/. /home/$USER/git/haproxy-script/usr/local/etc/haproxy/certsAccess the haproxy container like this:
docker exec -it haproxy /bin/bashRun a command in the container like this:
docker exec -it haproxy cat /usr/local/etc/haproxy/haproxy.cfgCheck the ocsp response like this:
echo quit | openssl s_client -connect <your.domain>:443 -statusShow haproxy info:
echo "show info" | socat stdio /usr/local/run/haproxy/admin.sockShow haproxy cache:
echo "show cache" | socat stdio /usr/local/run/haproxy/admin.sockReload: #TODO: why this not working?
echo "reload" | socat stdio /usr/local/run/haproxy/admin.sock