Hi Community,
I am doing this in a homeserver set up so even though I use these platforms every day, they have a maximum of 3 - 4 users on them so all are single server, no need to load share etc.
My goal was to send the acme challenge for each server through haproxy and set and forget have lets encrypt renew in the background with no intervetion from me. The Apache2 - Certbout Auto-Renewal already was automating the requests I just needed them to route to the correct server as needed.
After much trial and error here is my working config. When I add another backend server I will just need to expand the list of URLs. This config worked with the “certbot renew --dry-run” so now to leave it for a few months and see if nothing breaks.
global
maxconn 5000
stats timeout 30s
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout http-request 5s
timeout connect 5000
timeout client 2000000
timeout server 2000000
# front end acme challenge
frontend example80
bind *:80
mode http
option tcplog
# check for acme challange and validate url
acl test_acme path_beg /.well-known/acme-challenge/
acl nc_host hdr(host) -i nc.example.com
acl wp_host hdr(host) -i wp.example.com
acl wiki_host hdr(host) -i wiki.example.com
# if no acme challenge redirect https
redirect scheme https code 301 if !test_acme
# on acme challenge forward :80 to backend server
use_backend le_nc_backend if test_acme nc_host
use_backend le_wp_backend if test_acme wp_host
use_backend le_wiki_backend if test_acme wiki_host
# frontend normal https traffic to valid urls
frontend example443
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 10s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend backend_nc if { req.ssl_sni -m end nc.example.com }
use_backend backend_wp if { req.ssl_sni -m end wp.example.com }
use_backend backend_wiki if { req.ssl_sni -m end wiki.example.com }
# Backend nextcloud server <<<<<<<<<
# Normaltraffic nextcloud
backend backend_nc
mode tcp
server nextcloud-server 192.168.1.10:443 check
# Renew certificate nextcloud server
backend le_nc_backend
mode http
server letsencrypt_nc_server 192.168.1.10:80 check
# Backend wordpress server <<<<<<<<<
# Normaltraffic worpress
backend backend_wp
mode tcp
server wordpress-server 192.168.1.20:443 check
# Renew certificate wordpress server
backend le_wp_backend
mode http
server letsencrypt_wp_server 192.168.1.20:80 check
#Backend wiki server <<<<<<<<<<
# Normaltraffic wiki server
backend backend_wiki
mode tcp
server wiki-server 192.168.1.30:443 check
# Renew certificate wiki server
backend le_wiki_backend
mode http
server letsencrypt_wiki_server 192.168.1.30:80 check
Feedback welcome, I am always happy to improve my setup.