PHPENV's HAProxy environment is set up with free SSL certificate application

by Devin Yang
(This article was automatically translated.)

Published - 1 year ago ( Updated - 1 year ago )

PHPENV has added the support of haproxy.yml. If you have an external IP and domain name, you want to get HAProxy and certificate application
It should be quite simple through deviny/phpenv.
In this article, let us see how to use HAProxy in the HAProxy environment setting in PHPENV.

Practical operation, you can also check out my YouTube Note:

https://youtu.be/eI2oxakC6pA


In the phpenv directory, the content of the haproxy.yml file is as follows:

version: '3.6'
services:
 haproxy:
  build:
    context: ./dockerfiles
    dockerfile: Dockerfile-haproxy
  image: ${PROJECT}_haproxy
  ports:
    - ${HTTP_PORT-80}:80
    - ${HTTPS_PORT-443}:443
  volumes:
    - ./etc/haproxy:/etc/haproxy
    - ./etc/haproxy/proxy.pem:/etc/ssl/phpenv/proxy.pem
    - ./etc/ssl:/etc/letsencrypt
  #-f <configuration file|dir>
  #command: /usr/local/sbin/haproxy -f /etc/haproxy -d
  networks:
    - dlaravel_net

networks:
    dlaravel_net:

As you can see in this file, he will go to build, Dockerfile-haproxy under the dockerfiles directory, why use HAProxy, because its reload speed is super fast,
The user will hardly notice the change of the certificate, His function is really easy to use, different ACLs can lead to different hosts, and it is extremely stable.

In the HAProxy setting of phpenv, all .well-known/acme-challenge will hit the backend port 8080 of the local side.
Through this mechanism, we can allow all HAProxy backend hosts to apply for Let's encrypt certificates without creating folders.

The HAProxy environment configuration file in phpenv is very simple. We can customize the name and put it in the envs folder. The content is as follows, and the PROJECT name can be set according to our own preferences. 

DEFAULT=haproxy
PROJECT=ha
HTTP_PORT=80
HTTPS_PORT=443

In the above settings, DEFAULT= is specified, which means that when phpenv links to this configuration file, it will use haproxy.yml in the directory as its default YAML file.

So the first step, when we have created the PHPENV environment configuration file in envs, we can execute ./link once to link

In the second step, the image of the Build environment only needs to be executed once in the new environment.

Third Let’s start it and see it
We can start it through ./start and stop it through ./stop, and then check the startup status through ./console ps.

< p>If there is a problem with the startup, we can use the ./console up command to see if there is a problem

./console up

In the case that we have no certificate at all, we can enter the container and execute the following command to obtain a free SSL certificate

The following command can enter the HAProxy container

./console exec haproxy bash

After entering the container, you can use the following command to apply for a certificate

certbot certonly --standalone --http-01-port 8080 --email devin@ccc.tc \
--dry-run \
--agree-tos --preferred-challenges http \
-d <your domain>

The above --dry-run can be tested first. After confirming that there is no problem, remove --dry-run and run officially. If it fails too many times, it will be locked and will not be applied for.


We can copy the environment settings of the backend host through phpenv.cfg.example for adjustment and modification, and become phpenv.cfg.

in phpenv The backend must have a certificate file. If you use let's encrypt, you can combine fullchain.pem and privkey.pem into one file and save it as proxy.pem. 

  frontend phpenv
     mode http
     bind :443 ssl crt /etc/haproxy/proxy.pem alpn h2

     option forwardfor header X-Real-IP
     http-request add-header X-Real-IP %[src]
     http-request add-header X-Forwarded-For %[src]

     acl acme path_beg -i /.well-known/acme-challenge
     redirect scheme https code 301 if !{ ssl_fc } !acme

  acl SUBDOMAIN_url hdr_beg(host) -i SUBDOMAIN.duckdns.org

  use_backend SUBDOMAIN_server if SUBDOMAIN_url

  backend SUBDOMAIN_server
     mode http
     fullconn   10000
     cookie SITEID insert indirect nocache
     server SUBDOMAIN host.docker.internal:1050

In the above example, we can have many acls with use_backend and backend, leading to different backends.
If necessary, you can also have multiple certificate files at the same time. 

ind :443 ssl crt /etc/ssl/ccc.tc/ccc.tc.pem alpn h2,http/1.1 crt /etc/ssl/ccc.tc/demo.ccc.tc.pem alpn h2,http/1.1 crt /etc/ssl/ccc.tc/e-course.app.pem alpn h2,http/1.1


About the settings of multiple ACLs and backends, it looks like this:

frontend phpenv
   mode http
   bind :443 ssl crt /etc/haproxy/proxy.pem alpn h2

   option forwardfor header X-Real-IP
   http-request add-header X-Real-IP %[src]
   http-request add-header X-Forwarded-For %[src]

   acl acme path_beg -i /.well-known/acme-challenge
   redirect scheme https code 301 if !{ ssl_fc } !acme

acl a_url hdr_beg(host) -i aaa.ccc.tc
acl b_url hdr_beg(host) -i bbb.ccc.tc

use_backend a_server if a_url
use_backend b_server if b_url

#BACKEND A
backend a_server
   mode http
   fullconn   10000
   cookie SITEID insert indirect nocache
   server demo3tc-a host.docker.internal:1050

#BACKEND B
backend b_server
   mode http
   fullconn   10000
   cookie SITEID insert indirect nocache
   server demo3tc-a host.docker.internal:1051



By the way, phpenv can also perform tcp mapping, for example, as follows:

listen vscode
        bind *:8444
        option tcplog
        mode tcp
        acl network_allowed src 211.72.111.145 111.248.102.24
        tcp-request connection reject if !network_allowed
        server sagent 192.168.99.123:1443


The above are some environmental descriptions of phpenv's HAProxy, and I will add it when I have the opportunity. 😁

Tags: laravel letsencrypt haproxy

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
web-hosting,laravel

Zhibang installs Laravel 5.4 experience sharing

Install Laravel 5.4 on Zhibang's Linux 7.0 platform, and successfully execute the case sharing, Because it was originally an old version of PHP, it can be transferred to the new version for free for the first time, So please ask them to open a test php 7.0 environment for us to test, after small adjustments, Laravel's environment can indeed be executed on Accton's managed host. This article introduces how I successfully implemented Laravel's website process in Zhibang.

城堡
laravel,trait,php

My Browser Trait, webp image file support function detection and whether it is a mobile phone detection

I believe that many people are familiar with PHP trait, because Laravel can be seen everywhere, but I still write it and share it with those who are destined. PHP trait allows two different CLASS to use the same method. It not only reduces the complexity, but also allows the code to be reused. So it should be very convenient to put a Browser series function on Laravel's ViewServiceProvider 😝

城堡
laravel,sftp

Use Laravel's Storage SFTP Drvier for remote file upload

Why do I separate the front and back of the website? My idea is very simple, that is to rely on a set of background to control all the website data in the foreground. Assuming that the front-end website is a pure marketing website, it is nothing more than the subject content, just like the article above, without any particularly complicated logic. Therefore, it is enough to set up the backend database and connect different frontends. Then there is the last question, how can my backend HTML editor post pictures directly to the frontend? Laravel's Storage SFT Driver is a good antidote.