Using SSL with HAProxy for docker containers

Help!
21

Thanks Lukas!

Unfortunately the script requires 1.6

You need to be rolling HAProxy version 1.6.0 or later with Lua support enabled.

Mine is

Package haproxy-1.5.14-3.el7.x86_64 already installed and latest version

Should I try it anyway? Or look at this instead… How To Secure HAProxy with Let's Encrypt on CentOS 7 | DigitalOcean ?

Btw, do you know how I can get version info on Centos? haproxy -vv does not work. Is systemctl status haproxy the equivalent?

22

I don’t know about docker or centos, but haproxy -vv should always work. The acme validation plugin needs haproxy 1.6 with Lua, there is no point in trying with 1.5.

1 Like
23

Hey @lukastribus just coming back to report this has now all be set up - massive thanks for your help! :slight_smile: I have also edited the first post with a summary - hopefully it will help others without them having to read the whole thread.

Just one last question, what would be the best way to force https on my some of my sites? (Some of those defined under ‘Define hosts’ and some that use the default_backed.)

Here is a reminder of what I have:

frontend http-in
        bind *:80
        default_backend main_apache_sites

        # Define hosts
	      redirect prefix http://discourse-forum-1.com code 301 if { hdr(host) -i www.discourse-forum-1.com }
        acl host_discourse hdr(host) -i discourse-forum-1.com
	      redirect prefix http://discourse-forum-2.com code 301 if { hdr(host) -i www.discourse-forum-2.com }
        acl host_discourse_2 hdr(host) -i discourse-forum-2.com		
	      redirect prefix http://discourse-forum-3.com code 301 if { hdr(host) -i www.discourse-forum-3.com }
        acl host_discourse_3 hdr(host) -i discourse-forum-3.com
		
        # which one to use
        use_backend discourse_docker if host_discourse
        use_backend discourse_docker_2 if host_discourse_2
        use_backend discourse_docker_3 if host_discourse_3	


backend main_apache_sites
    	server server1 127.0.0.1:8080 cookie A check
	    cookie JSESSIONID prefix nocache

backend discourse_docker
    	server server2 127.0.0.1:8888 cookie A check
	    cookie JSESSIONID prefix nocache

backend discourse_docker_2
    	server server2 127.0.0.1:8889 cookie A check
	    cookie JSESSIONID prefix nocache

backend discourse_docker_3
    	server server2 127.0.0.1:8890 cookie A check
	    cookie JSESSIONID prefix no cache

Do I just need lots of these?

redirect scheme https if { hdr(Host) -i www.mydomain.com } !{ ssl_fc }

(Where do they go? Under Define hosts?)

24

Yes, but in that case I would suggest to use a dedicated (named) ACL to define the list of hosts that need the HTTPS redirect, otherwise the configuration gets messy.

Note that there is no indentation in haproxy really. “redirect” and “acl” can start at the same place as can server and cookie in the backend.

1 Like
25

Do you mean something like this?

# Define hosts
  redirect prefix http://myforum.com code 301 if { hdr(host) -i www.myforum.com }
  redirect scheme https if { hdr(Host) -i myforum.com } !{ ssl_fc }
  acl host_discourse_3 hdr(host) -i myforum.com

Or is there a better way?

26

Yes, but I would also use an ACL for this, so you only have to add a Host to the ssl_redirect_hosts ACL, not touch the actual redirect directive:

# Define hosts
redirect prefix http://myforum.com code 301 if { hdr(host) -i www.myforum.com }
acl host_discourse_3 hdr(host) -i myforum.com
acl ssl_redirect_hosts hdr(Host) -i myforum.com
acl ssl_redirect_hosts hdr(Host) -i myforum2.com
acl ssl_redirect_hosts hdr(Host) -i myforum3.com
redirect scheme https if ssl_redirect_hosts !{ ssl_fc }
1 Like
27

Awesome, thanks Lukas!

Is there any way to do the same for removing the www’s? Or better still combine it all into one statement? No probs if not.

28

I’m sure it is, you can find specifics in the documentation:
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4-redirect

1 Like
29

Hi Lukas, sorry to bother you again, but would you know how I can enable secure cookies for the hosts we defined previously?

Would I need to add this to the bottom?

rspirep ^(set-cookie:.*) \1;\ Secure if https !secured_cookie

Edit: Just an update to say I seemed to have fixed my issue by simply adding the following to frontend http-in

reqadd X-Forwarded-Proto:\ https if { ssl_fc }

Does this look ok?

30

Yes, telling the application that the connection to the client is secured via X-Forwarded-Proto header is the proper thing to do in this case, instead of rewriting response headers at the proxy layer.

1 Like
31

Thanks Lukas - you’re a :star: :slight_smile:

32

Hi AstJ!

I’m working a very similar project right now. I was wondering if you could share your final config? :smiley:

thanks,
Mike

33

Hey @Mike, have you seen my guide on Discourse? It should have configs and further instruction :smiley:

34

@AstJ
:slight_smile:

Thanks!

1 Like