{"id":13587583,"url":"https://github.com/nmarus/docker-haproxy-certbot","last_synced_at":"2025-05-07T08:12:44.586Z","repository":{"id":48834682,"uuid":"67452658","full_name":"nmarus/docker-haproxy-certbot","owner":"nmarus","description":"Docker Container with haproxy and certbot","archived":false,"fork":false,"pushed_at":"2021-07-09T10:08:40.000Z","size":12,"stargazers_count":47,"open_issues_count":5,"forks_count":47,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-07T08:12:38.829Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nmarus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-09-05T21:43:05.000Z","updated_at":"2025-03-22T03:04:48.000Z","dependencies_parsed_at":"2022-09-23T22:42:03.333Z","dependency_job_id":null,"html_url":"https://github.com/nmarus/docker-haproxy-certbot","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nmarus%2Fdocker-haproxy-certbot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nmarus%2Fdocker-haproxy-certbot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nmarus%2Fdocker-haproxy-certbot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nmarus%2Fdocker-haproxy-certbot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nmarus","download_url":"https://codeload.github.com/nmarus/docker-haproxy-certbot/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252839296,"owners_count":21812090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T15:06:16.521Z","updated_at":"2025-05-07T08:12:44.548Z","avatar_url":"https://github.com/nmarus.png","language":"Shell","readme":"# HAProxy with Certbot\n\nDocker Container with haproxy and certbot. Haproxy is setup to use a 0 downtime\nreload method that queses requests when the Haproxy service is bounced as new\ncertificates are  added or existing certificates refreshed.\n\n#### Usage\n\nFirst some terminology... HAProxy is a reverse proxy load balancer among other\nthings. Let's Encrypt is a service that allows the creation and renewal of SSL\ncertificates at no cost through an API and with automatic authentication.\nCertbot is a Linux CLI tool for interfacing with the Let's Encrypt API.\n\nCertbot contains it's own http/https server and handles the authorization process\nfrom Let's Encrypt. This container is setup using HAProxy\nto redirect the Let's Encrypt callbacks (authentication) to the certbot http\nserver while all other requests are directed to the backend server(s).\nThis configuration of HAProxy is also setup todo all the SSL termination so that\nyour backend server(s) do not require a SSL configuration or certificates to be\ninstalled.\n\nIn order to use this in your environment, you must point all your SSL enabled\ndomains to the IP Address of this container. This means updating the A Records\nfor these domains with your DNS Provider. This includes the website name and all\nalternate names (i.e. example.com and www.example.com). After this is setup,\nan inbound request for your website(s) is initially received by HA Proxy. If the\nrequest is part of the Let's Encrypt authentication process, it will redirect\nthat traffic to the local instance of certbot which is running on internal\ncontainer ports 8080 and 8443. Otherwise it will pass through the request to a\nbackend server (or servers) as defined in the haproxy.cfg file. The details of\nHAProxy setup are out of the scope for this README, but some examples are\nincluded below to get you started.\n\n## Setup and Create Container\n\nThis will create the haproxy-certbot container. Note that only the inbound ports\nfor 80 and 443 are exposed.\n\n```bash\ndocker run -d \\\n  --restart=always \\\n  --name haproxy-certbot \\\n  --cap-add=NET_ADMIN \\\n  -p 80:80 \\\n  -p 443:443 \\\n  -v /docker/haproxy/config:/config \\\n  -v /docker/haproxy/letsencrypt:/etc/letsencrypt \\\n  -v /docker/haproxy/certs.d:/usr/local/etc/haproxy/certs.d \\\n  nmarus/haproxy-certbot\n```\n\nIt is important to note the mapping of the 3 volumes in the above command. This\nensures that all non-persistent variable data is not maintained in the container\nitself.\n\nThe description of the 3 mapped volumes are as follows:\n\n* `/config` - The configuration file location for haproxy.cfg\n* `/etc/letsencrypt` - The directory that Let's Encrypt will store it's\n  configuration, certificates and private keys. **It is of significant\n  importance that you maintain a backup of this folder in the event the data is\n  lost or corrupted.**\n* `/usr/local/etc/haproxy/certs.d` - The directory that this container will\n  store the processed certs/keys from Let's Encrypt after they have been\n  converted into a format that HAProxy can use. This is automatically done at\n  each refresh and can also be manually initiated. This volume is not as\n  important as the previous as the certs used by HAProxy can be regenerated\n  again based on the contents of the letsencrypt folder.\n\n## Container Helper Scripts\n\nThere are a handful of helper scripts to ease the amount of configuration\nparameters needed to administer this container.\n\n#### Add a New Cert\n\nThis will add a new cert using a certbot config that is compatible with the\nhaproxy config template below. After creating the cert, you should run the\nrefresh script referenced below to initialize haproxy to use it. After adding\nthe cert and running the refresh script, no further action is needed.\n\n***This example assumes you named you haproxy-certbot container using the same\nname as above when it was created. If not, adjust appropriately.***\n\n```bash\n# request certificate from let's encrypt\ndocker exec haproxy-certbot certbot-certonly \\\n  --domain example.com \\\n  --domain www.example.com \\\n  --email nmarus@gmail.com \\\n  --dry-run\n\n# create/update haproxy formatted certs in certs.d and then restart haproxy\ndocker exec haproxy-certbot haproxy-refresh\n```\n\n*After testing the setup, remove `--dry-run` to generate a live certificate*\n\n#### Renew a Cert\n\nRenewing happens automatically but should you choose to renew manually, you can\ndo the following.\n\n***This example assumes you named you haproxy-certbot container using the same\nname as above when it was created. If not, adjust appropriately.***\n\n```bash\ndocker exec haproxy-certbot certbot-renew \\\n  --dry-run\n```\n\n*After testing the setup, remove `--dry-run` to refresh a live certificate*\n\n#### Create/Refresh Certs used by HAProxy from Let's Encrypt\n\nThis will parse and individually concatenate all the certs found in\n`/etc/letsencrypt/live` directory into the folder\n`/usr/local/etc/haproxy/certs.d`. It additionally will restart the HAProxy\nservice so that the new certs are active.\n\nWhen HAProxy is restarted, the system will queue requests using tc and libnl and\nminimal to 0 interruption of the HAProxy services is expected.\n\nSee [this blog entry](https://engineeringblog.yelp.com/2015/04/true-zero-downtime-haproxy-reloads.html) for more details.\n\n**Note: This process automatically happens whenever the cron job runs to refresh\nthe certificates that have been registered.**\n\n```bash\ndocker exec haproxy-certbot haproxy-refresh\n```\n\n### Example haproxy.cfg\n\n##### Using Cluster Backend\n\nThis example intercepts the Let's Encrypt validation and redirects to certbot.\nNormal traffic is passed to the backend servers. If the request arrives as a\nhttp request, it is redirected to https. If there is not a certificate installed\nfor the requested website, haproxy will present a self signed default\ncertificate. This behavior can be modified by adapting the haproxy config file\nif so desired.\n\nThis example also does not do any routing based on the URL. It assumes that all\ndomains pointed to this haproxy instance exist on the same backend server(s).\nThe backend setup in this example consists of 3 web server that haproxy will\nload balance against. If there is only a single server, or a different quantity\nthis can be adjusted in the backend configuration block. This specific example\nwould be a configuration that could be used in front of a PaaS cluster such\nas Flynn.io or Tsuru.io (both of which have their own http router in order to\ndirect the traffic to the required application).  \n\n```\nglobal\n  maxconn 1028\n\n  log 127.0.0.1 local0\n  log 127.0.0.1 local1 notice\n\n  ca-base /etc/ssl/certs\n  crt-base /etc/ssl/private\n\n  ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS\n  ssl-default-bind-options no-sslv3\n\ndefaults\n  option forwardfor\n\n  log global\n\n  timeout connect 5000ms\n  timeout client 50000ms\n  timeout server 50000ms\n\n  stats enable\n  stats uri /stats\n  stats realm Haproxy\\ Statistics\n  stats auth admin:haproxy\n\nfrontend http-in\n  bind *:80\n  mode http\n\n  reqadd X-Forwarded-Proto:\\ http\n\n  acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/\n  redirect scheme https if !letsencrypt_http_acl\n  use_backend letsencrypt_http if letsencrypt_http_acl\n\n  default_backend my_http_backend\n\nfrontend https_in\n  bind *:443 ssl crt /usr/local/etc/haproxy/default.pem crt /usr/local/etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\n  mode http\n\n  reqadd X-Forwarded-Proto:\\ https\n\n  default_backend my_http_backend\n\nbackend letsencrypt_http\n  mode http\n  server letsencrypt_http_srv 127.0.0.1:8080\n\nbackend my_http_backend\n  mode http\n  balance leastconn\n  option tcp-check\n  option log-health-checks\n  server server1 1.1.1.1:80 check port 80\n  server server2 2.2.2.2:80 check port 80\n  server server3 3.3.3.3:80 check port 80\n```\n","funding_links":[],"categories":["Shell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnmarus%2Fdocker-haproxy-certbot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnmarus%2Fdocker-haproxy-certbot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnmarus%2Fdocker-haproxy-certbot/lists"}