SETUP


On load balancer - Configure lets encrypt and add in the florist domain name


BELOW NO LONGER NEEDED

ha proxy - add redirect to ssl in config  - bind *:443 ssl crt /ssl/ no-tlsv10

http-request redirect scheme https unless { ssl_fc }

On load balancer in layershift panel - turn off lets encypt 


  1. Create ssl folder in opt/tomcat on app server
  2. Load balancer -  create mount for /ssl to tomcat /opt/tomcat/ssl
  3. Uninstall lets encrypt
  4. Add to ha proxy -  bind *:443 ssl crt /ssl/ no-tlsv10




Per Domain

  1. Create csr file on loadbalancer in /ssl/ dir  -  

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

 

  1. Create new ssl from sslstore - RapidSSL Certificate 
  2. Authorise the ssl
  3. Copy pem to /ssl/
  4. Move the csr request to ssl/csr/ folder
  5. Rename the key file to that of the uploaded cert file name with .key on the end
  6. Restart load balancer


IF USING .well-known FILE BASED validation

1. drop auth file into ROOT/.well-known


2. Ensure the haproxy.cfg is as follows


#### MAKE CHANGES HERE ONLY IF YOU REALLY KNOW WHAT YOU ARE DOING #####

#---------------------------------------------------------------------

# Global settings

#---------------------------------------------------------------------

global


log 127.0.0.1   local0

user haproxy

group haproxy


ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


ssl-dh-param-file /etc/haproxy/dhparam.pem


pidfile     /var/run/haproxy.pid


tune.ssl.default-dh-param 2048

maxconn     10000

daemon


#---------------------------------------------------------------------

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

#---------------------------------------------------------------------


defaults


mode                    http

log                     global

option                  dontlognull

option  httplog

option http-server-close

option                  redispatch

retries                 3

timeout http-request    10s

timeout queue           1m

timeout connect         10s

timeout client          1m

timeout server          1m

timeout http-keep-alive 10s

timeout check           10s

maxconn                 10000


frontend ft_http


bind :::80 v4v6

bind :::443 v4v6 ssl crt /var/lib/jelastic/SSL/jelastic.pem alpn h2,http/1.1

mode http

stats enable

stats auth admin:HIRohn27117

stats refresh 30s

stats show-node

stats uri  /haproxy_adm_panel

stats admin if TRUE

option forwardfor


http-request set-header X-Forwarded-Proto https if { ssl_fc }

http-request set-header HTTPS on if { ssl_fc }

http-request set-header Ssl-Offloaded 1 if { ssl_fc }

# redirect to www if not www or the main domain

acl  maindom      hdr_end(host) -i floristpro-mini.co.uk

acl path_certbot path_beg /.well-known/pki-validation/fileauth.txt

http-request redirect code 301 location  http://www.%[hdr(host)]%[capture.req.uri] unless maindom  || path_certbot || { hdr_beg(host) -i www }

http-request redirect code 301 location  https://www.%[hdr(host)]%[capture.req.uri] unless maindom  || path_certbot || { hdr_beg(host) -i www }

#http-request redirect prefix https://www.%[hdr(host)] code 301 unless { hdr_beg(host) -i www. }

# https if not in the main domain or fc

acl http      ssl_fc,not 

http-request redirect scheme https if http !maindom !path_certbot


default_backend bk_http



backend default

mode http

errorfile 503 /etc/haproxy/welcome.http

 

backend bk_http ###HOSTS ARE ADDED TO THIS BACKEND BY DEFAULT

server webserver1 10.10.117.96:${BACKEND_PORT} check cookie S1


#---------test additions for clustering TT

stick-table type string len 52 size 5M expire 30m

stick store-response set-cookie(JSESSIONID)

stick on cookie(JSESSIONID)


cookie JSESSIONID prefix nocache


mode http

cookie SRVNAME insert

balance roundrobin


###TCP SECTION###