ThirdMirrors
/
acme.sh
mirror of https://gitee.com/Hawkin99/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Document TLS-ALPN for haproxy

alexzorin 2019-01-17 09:22:52 +11:00
parent 1c349b8eba
commit 588c79eb21
1 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
TLS-ALPN-without-downtime.md

@ -12,7 +12,7 @@ This article outlines some ways it is possible to configure webservers to work t
|-----------|--------|---------|
| Apache httpd | Not yet possible | - |
| nginx | Supported | Requires [ngx_stream_ssl_preread_module](http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html) to be compiled. e.g. on Ubuntu 18.04, included in the `nginx-full` package. |
| haproxy | Not yet possible | -
| haproxy | haproxy>=1.9.1 | -
## Instructions
@ -80,3 +80,54 @@ stream {
5\. Try to issue a certificate (substituting `example.org` for the domain you want on your certificate).
$ sudo acme.sh --issue --alpn --tlsport 10443 -d example.org
### haproxy
With haproxy, what we have to do is run an ALPN load balancer frontend in TCP mode on port 443, and re-assign all HTTPS frontends to an alternate port.
When a TLS-ALPN connection for ACME comes in, it will be routed to acme.sh, otherwise, the connection is forwarded to the normal HTTPS frontend.
1\. Verify that haproxy is at least version 1.9.1:
$ haproxy -v
HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/
2\. In the haproxy configuration, as well as re-assigning your existing HTTPS frontend to port 8443, you will need to add:
1. `fe_alpn` - a TCP frontend on 443 to load balance ALPN
2. `bk_acmesh` - A backend to send requests to acme.sh
3. `bk_https` - A backend to send requests to your regular HTTPS frontend
```haproxy
# New
frontend fe_alpn
mode tcp
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_acmesh if { req.ssl_alpn acme-tls/1 }
default_backend bk_https
# New
backend bk_acmesh
server acmesh 127.0.0.1:10443
# New
backend bk_https
server https 127.0.0.1:8443
# Existing, changed from 80 -> 8443
frontend fe_https
mode http
bind :8443 ssl crt /etc/ssl/haproxy.pem
# ...
```
3\. Make sure the configuration works and reload:
$ sudo haproxy -c -f /etc/haproxy.cfg
$ sudo systemctl reload haproxy
4\. Try to issue a certificate (substituting `example.org` for the domain you want on your certificate).
$ sudo acme.sh --issue --alpn --tlsport 10443 -d example.org