Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change haproxy.cfg to enable http->https redirect and optional certbot #2288

Closed
tornaria opened this issue Aug 12, 2017 · 5 comments
Closed

Change haproxy.cfg to enable http->https redirect and optional certbot #2288

tornaria opened this issue Aug 12, 2017 · 5 comments

Comments

@tornaria
Copy link

Admittedly I don't know all the implications of this, but here's my proposal:

--- haproxy.cfg.orig    2017-08-11 23:01:10.748000000 +0000
+++ haproxy.cfg 2017-08-11 23:59:26.444000000 +0000
@@ -36,9 +36,16 @@
     timeout server 20s
     server proxy localhost:5001 cookie server:localhost:5000 check inter 4000 maxco
 
+frontend http
+    bind *:80
+    acl is_acme path_beg /.well-known/acme-challenge
+    redirect scheme https code 301 if !is_acme
+    use_backend static if is_acme
+
 frontend https
     bind *:443 ssl crt /nopassphrase.pem no-sslv3
-    bind *:80
     reqadd X-Forwarded-Proto:\ https
     timeout client 120s

This has two consequences:

a. The haproxy in port 80 will not serve any content, redirecting everything to https.
(not only a security issue but also see e.g. #2000 (comment))

b. There will be an exception for /.well-known/acme-challenge which would be served using the static backend from /cocalc/src/static/.well-known/acme-challenge/ which can be used as webroot for certbot.

Note that this actually doesn't do anything to install or activate certbot, but with this configuration in place is easy to install a letsencrypt certificate.

Possible instructions to do it (assuming my proposed haproxy.cfg is installed):

  1. enter the docker container
$ docker exec -it cocalc bash
  1. install certbot
# apt-get update
# apt-get install certbot
  1. make a persistent directory for letsencrypt files
# mkdir /projects/conf/letsencrypt
# ln -sT /projects/conf/letsencrypt /etc/letsencrypt
  1. obtain a certificate (substitute <DOMAIN> and <EMAIL>)
# certbot certonly --config-dir /projects/conf/letsencrypt --webroot --agree-tos -w /cocalc/src/static/ -d <DOMAIN> -m <EMAIL>
  1. install the certificate where haproxy expects it:
# cat /etc/letsencrypt/live/<DOMAIN>/{fullchain.pem,privkey.pem} > /nopassphrase.pem
# service haproxy reload
  1. enjoy

This does not automate renewals. At renewal time (i.e. every month?) one has to do something like:

# certbot renew
# cat /etc/letsencrypt/live/<DOMAIN>/{fullchain.pem,privkey.pem} > /nopassphrase.pem
# service haproxy reload

I haven't tested renewals yet, as I understand it it is safe to run certbot renew once or twice a day since it won't do a thing if the certificate is not old. I don't know how to automate this inside the docker container, since cron is not running.

Any suggestion? A worthwhile goal would be to have a single script that when executed will do steps 2-5 above and make sure the certificate is periodically renewed.

NOTE: the patch above and the suggested steps are just configuration, I make no copyright claim, use it freely, keep the pieces if it breaks, etc.
@tornaria
Copy link
Author

tornaria commented Aug 12, 2017
edited

For the record: it seems service cron start will run cron, so that can be used to automate certificate renewal.

However I'm afraid this will run a lot of other stuff periodically from ubuntu cron configuration which I'm not sure it's desirable.

@tornaria
Copy link
Author

This is implemented in PR #2294, together with other improvements.

@haraldschilly
Copy link
Contributor

closing this ticket because the PR is closed

@billpage
Copy link
Contributor

I suggest that the recipe for letsencrypt in this proposal become part of the docker readme. I just tested it and it works for me. My reason for doing this is that apparently there is some kind of time restriction in firefox (and maybe other browsers) on continuing to access a site (even a local site) with an invalid certificate.

Or since this issue is closed does it mean that this approach has been replaced with something else?

@slel
Copy link
Contributor

slel commented Jun 7, 2018
edited

@billpage This issue is closed because the Docker image for CoCalc
now has its own repo at https://github.com/sagemathinc/cocalc-docker
with its issue tracker at https://github.com/sagemathinc/cocalc-docker/issues
and pull requests at https://github.com/sagemathinc/cocalc-docker/pulls

Further discussion of cocalc-docker happens there.

Regarding Letsencrypt and CoCalc-Docker, there is a discussion around
sagemathinc/cocalc-docker#3 if you can have a look.

@DrSAR DrSAR mentioned this issue Apr 10, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@haraldschilly @tornaria @slel @billpage