PHPENV's HAProxy environment is set up with free SSL certificate application

by Devin Yang
(This article was automatically translated.)

Published - 3 years ago ( Updated - 3 years ago )

PHPENV has added the support of haproxy.yml. If you have an external IP and domain name, you want to get HAProxy and certificate application
It should be quite simple through deviny/phpenv.
In this article, let us see how to use HAProxy in the HAProxy environment setting in PHPENV.

Practical operation, you can also check out my YouTube Note:

https://youtu.be/eI2oxakC6pA


In the phpenv directory, the content of the haproxy.yml file is as follows:

version: '3.6'
services:
 haproxy:
  build:
    context: ./dockerfiles
    dockerfile: Dockerfile-haproxy
  image: ${PROJECT}_haproxy
  ports:
    - ${HTTP_PORT-80}:80
    - ${HTTPS_PORT-443}:443
  volumes:
    - ./etc/haproxy:/etc/haproxy
    - ./etc/haproxy/proxy.pem:/etc/ssl/phpenv/proxy.pem
    - ./etc/ssl:/etc/letsencrypt
  #-f <configuration file|dir>
  #command: /usr/local/sbin/haproxy -f /etc/haproxy -d
  networks:
    - dlaravel_net

networks:
    dlaravel_net:

As you can see in this file, he will go to build, Dockerfile-haproxy under the dockerfiles directory, why use HAProxy, because its reload speed is super fast,
The user will hardly notice the change of the certificate, His function is really easy to use, different ACLs can lead to different hosts, and it is extremely stable.

In the HAProxy setting of phpenv, all .well-known/acme-challenge will hit the backend port 8080 of the local side.
Through this mechanism, we can allow all HAProxy backend hosts to apply for Let's encrypt certificates without creating folders.

The HAProxy environment configuration file in phpenv is very simple. We can customize the name and put it in the envs folder. The content is as follows, and the PROJECT name can be set according to our own preferences. 

DEFAULT=haproxy
PROJECT=ha
HTTP_PORT=80
HTTPS_PORT=443

In the above settings, DEFAULT= is specified, which means that when phpenv links to this configuration file, it will use haproxy.yml in the directory as its default YAML file.

So the first step, when we have created the PHPENV environment configuration file in envs, we can execute ./link once to link

In the second step, the image of the Build environment only needs to be executed once in the new environment.

Third Let’s start it and see it
We can start it through ./start and stop it through ./stop, and then check the startup status through ./console ps.

< p>If there is a problem with the startup, we can use the ./console up command to see if there is a problem

./console up

In the case that we have no certificate at all, we can enter the container and execute the following command to obtain a free SSL certificate

The following command can enter the HAProxy container

./console exec haproxy bash

After entering the container, you can use the following command to apply for a certificate

certbot certonly --standalone --http-01-port 8080 --email devin@ccc.tc \
--dry-run \
--agree-tos --preferred-challenges http \
-d <your domain>

The above --dry-run can be tested first. After confirming that there is no problem, remove --dry-run and run officially. If it fails too many times, it will be locked and will not be applied for.


We can copy the environment settings of the backend host through phpenv.cfg.example for adjustment and modification, and become phpenv.cfg.

in phpenv The backend must have a certificate file. If you use let's encrypt, you can combine fullchain.pem and privkey.pem into one file and save it as proxy.pem. 

  frontend phpenv
     mode http
     bind :443 ssl crt /etc/haproxy/proxy.pem alpn h2

     option forwardfor header X-Real-IP
     http-request add-header X-Real-IP %[src]
     http-request add-header X-Forwarded-For %[src]

     acl acme path_beg -i /.well-known/acme-challenge
     redirect scheme https code 301 if !{ ssl_fc } !acme

  acl SUBDOMAIN_url hdr_beg(host) -i SUBDOMAIN.duckdns.org

  use_backend SUBDOMAIN_server if SUBDOMAIN_url

  backend SUBDOMAIN_server
     mode http
     fullconn   10000
     cookie SITEID insert indirect nocache
     server SUBDOMAIN host.docker.internal:1050

In the above example, we can have many acls with use_backend and backend, leading to different backends.
If necessary, you can also have multiple certificate files at the same time. 

ind :443 ssl crt /etc/ssl/ccc.tc/ccc.tc.pem alpn h2,http/1.1 crt /etc/ssl/ccc.tc/demo.ccc.tc.pem alpn h2,http/1.1 crt /etc/ssl/ccc.tc/e-course.app.pem alpn h2,http/1.1


About the settings of multiple ACLs and backends, it looks like this:

frontend phpenv
   mode http
   bind :443 ssl crt /etc/haproxy/proxy.pem alpn h2

   option forwardfor header X-Real-IP
   http-request add-header X-Real-IP %[src]
   http-request add-header X-Forwarded-For %[src]

   acl acme path_beg -i /.well-known/acme-challenge
   redirect scheme https code 301 if !{ ssl_fc } !acme

acl a_url hdr_beg(host) -i aaa.ccc.tc
acl b_url hdr_beg(host) -i bbb.ccc.tc

use_backend a_server if a_url
use_backend b_server if b_url

#BACKEND A
backend a_server
   mode http
   fullconn   10000
   cookie SITEID insert indirect nocache
   server demo3tc-a host.docker.internal:1050

#BACKEND B
backend b_server
   mode http
   fullconn   10000
   cookie SITEID insert indirect nocache
   server demo3tc-a host.docker.internal:1051



By the way, phpenv can also perform tcp mapping, for example, as follows:

listen vscode
        bind *:8444
        option tcplog
        mode tcp
        acl network_allowed src 211.72.111.145 111.248.102.24
        tcp-request connection reject if !network_allowed
        server sagent 192.168.99.123:1443


The above are some environmental descriptions of phpenv's HAProxy, and I will add it when I have the opportunity. 😁

Tags: laravel letsencrypt haproxy

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
docker,laravel

It's super easy to build a Lravel development environment with Docker

Are you ready for the Laravel 5.5 system environment? laravel/framework 5.5.x-dev requires php >=7.0 -> your PHP version (5.6.30) does not satisfy that requirement. This article describes how to create a Laravel development environment using Docker. With the simple to explosive D-Laravel simple bash, Don't say that I can't set up a Laravel development environment.

城堡
dlaravel

How to start supervisor on D-Laravel

Since queue workers are a long-running program, we need a program manager supervisor to monitor whether the process on the Linux system is running continuously. For example, when the queue:work operation fails, the queue:work process can be automatically restarted. Fortunately, D-Laravel has a built-in supervisor, so you don't need to install it yourself to use it. This article briefly introduces how we start the supervisor in the container.

城堡
dlaravel

Use docker in docker to build a D-Laravel test environment.

D-Laravel is an extremely easy-to-use and extremely flexible Laravel development environment. As long as you are a Mac user, even if you don’t know Docker, you can use it to create Laravel projects and develop them. Due to the newly added .env function When it comes to functions, those who are in a hurry push, but there is no complete test, and a bunch of new bugs are created. Therefore, this time, a new dlaravel_test, a bash testing tool, is added to run the test through docker in docker. Make sure that every release of D-Laravel can be a stable version.