Join the community today
Register Now

SSL HAproxy in front of Centminmod and Let's encrypt

Discussion in 'System Administration' started by pamamolf, Oct 23, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    1:26 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hello :)


    I am wondering how HAproxy can play with Centminmod and Let's encrypt servers :)

    In the scenario that i have 3 Centminmod servers with one same domain for all how Let's encrypt can be installed as the servers use different ip's ...? Should i use the same hostname for all? Or it just need the hidden folder at public to verify?

    And then if all servers have Let's encrypt working how HAproxy will work with them?
    Should i need to install on that server also a Let's encrypt certificate?

    Thank you
     
  2. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    12:26 AM
    You are right. Thats tricky...

    You need to sync the .well_known directory at all 3 servers and make sure the certificate retrieval is started from 1 server only. After the cert has been created, you need to copy it over to the other 2 servers.

    If you don't like to sync the directory you also can take 2 servers offline temporarily until the cert has been granted. Copy it over to the 2 other servers and take them online again.

    The first one seems to be easier to be automated with a script.
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 123.09beta01's addons/acmetool.sh isn't setup for load balancing unfortunately so you'd have to do you own workarounds for haproxy load balanced setups. There's so many ways to do this so best to research you own. A hint would be you can set haproxy to redirect .well-known letsencrypt web root authentication requests (which is what addons/acemtool.sh uses web root authentication) to direct to a specific haproxy backend server to processing. It doesn't matter what IP the haproxy backend is on in this case as domain's DNS A record is pointing to haproxy's public IP anyway and the magic happens on haproxy backend. This way only one haproxy backend processes letsencrypt web root authentication and domain verification requests and you'd have to figure out how to populate the renewed letsencrypt ssl certificate to all the other haproxy backends. If you use cloudflare or one of of acme.sh client's DNS API supported providers you can also script letsencrypt DNS verification of domains instead of web root authentication as well.

    FYI, letsencrypt in Jan 2018 will start offering wildcard ssl certificates to for *.domain.com so slightly easier for cluster/load balanced setup configurations. That's what I do for centminmod.com etc use a paid wildcard ssl certificate which makes cluster load balanced setups easier to manage :)
     
    Last edited: Oct 23, 2017
  4. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    1:26 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Is it better (for updating reasons most) to install it using a repo or to compile it from source?

    What do you recommend me?

    Thank you
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Depends on what you want to use/enable/support in haproxy as source compile can enable additional features and options that may not be available in rpm yum installed packages. If you don't know the difference, then reading the haproxy install documentation might help

    I usually source install haproxy https://community.centminmod.com/threads/addons-haproxy-sh-preview.12641/ so i can enable support for stuff like OpenSSL 1.1.x + Lua + newer zlib + Pcre/Pcre Jit + Transparent Proxy etc. I can also do similar stuff that I do with Centmin Mod Nginx/PHP-FPM, that is enable compile/install support for Haproxy using newer compilers like GCC 5.3/6.3/7.2 or Clang 3.4/4/5 etc for better performance.
     
  6. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:26 AM
    Mainline
    10.2
    Still curious, did you mean for better performance on compilation only or also using the service like Nginx?
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    can be both compile speed and/or binary's (nginx/php-fpm) performance depending on cpu / compiler combination just look at benchmarks linked at https://community.centminmod.com/th...lang-4-0-1-scl-yum-packages.12815/#post-54316

    Just look at Intel Clear Linux OS's GCC 7.x performance - they do more than just GCC but have enabled cpu optimisations (similar to what Centmin Mod Nginx/PHP-FPM does) but Intel Clear Linux does it for every package/software on their OS http://www.phoronix.com/scan.php?page=article&item=clear-linux-gcc71&num=1

    i.e. look at redis performance in Intel Clear Linux https://www.phoronix.com/vr.php?view=25553 though it all depends on cpu model pairing with GCC/Clang compiler too. A particular cpu + compiler GCC version or Clang version might allow performance boost for specific binary or it may lower performance due to regressions. So newer GCC/Clang versions may not always give best performance depending on cpu used too. So Centmin Mod 123.09beta01's Nginx binary might perform better with either CentOS 7 native GCC 4.8.5 or optionally supported GCC 5.3/6.3/7.2 or Clang 3.4/4/5 depending on cpu used on the server.

    For my custom Redis installs, I also enable GCC 5/6/7 and Intel cpu optimisations too :)