Docker Container with haproxy and certbot.
This will create the haproxy-certbot container. Note that only the inbound ports for 80 and 443 are exposed.
docker run -d \
--restart=always \
--name haproxy-certbot \
-p 80:80 \
-p 443:443 \
-v /docker/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg \
-v /docker/haproxy/letsencrypt:/etc/letsencrypt \
-v /docker/haproxy/certs.d:/etc/haproxy/certs.d \
boro/haproxy-certbot
It is important to note the mapping of the 3 volumes in the above command. This ensures that all non-persistent variable data is not maintained in the container itself.
/etc/haproxy/haproxy.cfg
- The configuration file location for haproxy.cfg/etc/letsencrypt
- The directory that Let's Encrypt will store it's configuration, certificates and private keys. It is of significant importance that you maintain a backup of this folder in the event the data is lost or corrupted./etc/haproxy/certs.d
- The directory that this container will store the processed certs/keys from Let's Encrypt after they have been converted into a format that HAProxy can use. This is automatically done at each refresh and can also be manually initiated. This volume is not as important as the previous as the certs used by HAProxy can be regenerated again based on the contents of the letsencrypt folder.
There are a handful of helper scripts to ease the amount of configuration parameters needed to administer this container.
This will add a new cert using a certbot config that is compatible with the haproxy config template below. After creating the cert, you should run the refresh script referenced below to initialize haproxy to use it. After adding the cert and running the refresh script, no further action is needed.
This example assumes you named you haproxy-certbot container using the same name as above when it was created. If not, adjust appropriately.
# request certificate from let's encrypt
docker exec haproxy-certbot certbot-certonly \
--domain example.com \
--domain www.example.com \
--email user@domain.com \
--dry-run
# create/update haproxy formatted certs in certs.d and then restart haproxy
docker exec haproxy-certbot haproxy-refresh
After testing the setup, remove --dry-run
to generate a live certificate
Renewing happens automatically but should you choose to renew manually, you can do the following.
This example assumes you named you haproxy-certbot container using the same name as above when it was created. If not, adjust appropriately.
docker exec haproxy-certbot certbot-renew \
--dry-run
After testing the setup, remove --dry-run
to refresh a live certificate
This will parse and individually concatenate all the certs found in
/etc/letsencrypt/live
directory into the folder
/etc/haproxy/certs.d
. It additionally will restart the HAProxy
service so that the new certs are active.
When HAProxy is restarted, the system will queue requests using tc and libnl and minimal to 0 interruption of the HAProxy services is expected.
See this blog entry for more details.
Note: This process automatically happens whenever the cron job runs to refresh the certificates that have been registered.
docker exec haproxy-certbot haproxy-refresh
HAProxy can be configured by modifying the following env variables,
either when running the container or in a docker-compose.yml
file.
CERTBOT_ENABLED
The option to enable or disable running the certbot for generating and configuring automatic Let's Encrypt SSL certificates - defaultfalse
CERTBOT_EMAIL
Required Email for expiry and other email notifications from letsencrypt - default ``CERTBOT_HOSTNAME
Hostname to request a certificate for. Supports multiple hostnames separated by a single space, tab or new line - default: ``STATS_PORT
The port to bind statistics to - default1936
STATS_AUTH
The authentication details (written asuser:password
for the statistics page - defaultadmin:admin
FRONTEND_NAME
The label of the frontend - defaulthttp-frontend
FRONTEND_HTTP_PORT
The port to bind the frontend HTTP to - default80
FRONTEND_HTTPS_PORT
The port to bind the frontend HTTPS to - default443
REDIRECT_TO_HTTPS
Setting to redirect HTTP traffic to HTTPS - defaultfalse
FRONTEND_MODE
Frontend mode - defaulthttp
DNS_HOLD_VALID
Time period to cache last DNS resolution for before needing to do another dns fetch - default10s
PROXY_PROTOCOL_ENABLED
The option to enable or disable accepting proxy protocol (true
stands for enabled,false
or anything else for disabled) - defaultfalse
COOKIES_ENABLED
The option to enable or disable cookie-based sessions (true
stands for enabled,false
or anything else for disabled) - defaultfalse
BACKEND_NAME
The label of the backend - defaulthttp-backend
BACKENDS
The list ofserver_ip:server_listening_port
to be load-balanced by HAProxy, separated by a single space - by default it is not setBACKENDS_PORT
Port to use whenBACKENDS
are specified without port - by default80
BACKENDS_MODE
Backends mode - defaulthttp
BACKEND_HTTP_REUSE
- defaultsafe
BACKEND_HTTP_NO_DELAY
- defaultfalse
FRONTEND_OPTIONS
Additional line(s) to be added to the backend block - default is blankBACKEND_OPTIONS
Additional line(s) to be added to the backend block - default is blankBALANCE
The algorithm used for load-balancing - defaultroundrobin
SERVICE_NAMES
An optional prefix for services to be included when discovering services separated by space. - by default it is not setLOGGING
Override logging ip address:port - default is udp127.0.0.1:514
inside containerLOG_LEVEL
Set haproxy log level, default isnotice
( only send important events ). Can be:emerg
,alert
,crit
,err
,warning
,notice
,info
,debug
TIMEOUT_CONNECT
Set the maximum time to wait for a connection attempt to a server to succeed. - default5s
TIMEOUT_CLIENT
Set the maximum inactivity time on the client side. - default50s
TIMEOUT_SERVER
Set the maximum inactivity time on the server side. - default50s
TIMEOUT_HTTP_REQUEST
Set the maximum allowed time to wait for a complete HTTP request - default10s
TIMEOUT_HTTP_KEEP_ALIVE
Set the maximum allowed time to wait for a new HTTP request to appear - default2s
TIMEOUT_QUEUE
Set the maximum time to wait in the queue for a connection slot to be free - default5s
TIMEOUT_TUNNEL
Set the maximum inactivity time on the client and server side for tunnels. - default2m
TIMEOUT_CLIENT_FIN
Set the inactivity timeout on the client side for half-closed connections. - default1s
TIMEOUT_SERVER_FIN
Set the inactivity timeout on the server side for half-closed connections. - default1s
HTTPCHECK
The HTTP method and uri used to check on the servers health - defaultmeth HEAD uri / ver HTTP/1.1
HTTPCHECK_EXPECT
The HTTP check option's expect rule - defaultstatus 200
INTER
parameter sets the interval between two consecutive health checks. If not specified, the default value is2s
FAST_INTER
parameter sets the interval between two consecutive health checks when the server is any of the transition state (read above): UP - transitionally DOWN or DOWN - transitionally UP. If not set, thenINTER
is used.DOWN_INTER
parameter sets the interval between two consecutive health checks when the server is in the DOWN state. If not set, thenINTER
is used.RISE
number of consecutive valid health checks before considering the server as UP. Default value is2
FALL
number of consecutive invalid health checks before considering the server as DOWN. Default value is3