Sign in Subscribe
TrueNAS

3# Routing - HAProxy

Kenneth Haider

2 min read

We want to route web-traffic to the different jails.. so the absolute first jail I set up is the HAProxy jail.

this will not only contain the proxy server, but also all the SSL certificates, meaning they are managed in one place. (all the other webservers can simply listen to port  80)

Start by opening shell in Truenas, modify the following commands to your distro, IP and needs

root@truenas[~]# iocage create -n haproxy.yourdomain.com -b -r 13.1-RELEASE

root@truenas[~]# iocage set ip4_addr="em0|192.168.5.20/24" haproxy.yourdomain.com

root@truenas[~]# iocage set defaultrouter=192.168.5.1 haproxy.yourdomain.com

Then head over to your jails and you should have a haproxy.yourdomain.com that you can fire up and enter its shell. Install certbot, haproxy and your favourite text editor (I prefer vim-tiny)

# pkg install py38-certbot && haproxy && vim-tiny

then edit the following:

vim /etc/periodic.conf

enable weekly:

weekly_certbot_enable="YES"

then to edit the haproxy config

vim /usr/local/etc/haproxy.conf

and modify to your needs

global
maxconn 4096
user haproxy
group haproxy
daemon

defaults
timeout client 5s
timeout server 5s
timeout connect 5s
mode http

#Frontend configuration for HTTPS
#Only listens on port 443 (IPv4 and IPv6)
frontend web
bind :80
bind :443 ssl crt /usr/local/etc/certs
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
mode http

#ACL for detecting Let's Encrypt validation requests
acl is_certbot path_beg /.well-known/acme-challenge/
use backend backend-certbot if is_certbot
acl cloud_url hdr(host) -i cloud.yourdomain.com
acl somewebsite_url hdr(host) -i somewebsite.yourdomain.com www.somewebsite.yourdomain.com
#...etc...

use_backend cloud if cloud_url
use_backend somewebsite if somewebsite_url
#...etc...

backend cloud
mode http
server cloud 192.168.5.20:80 check-ssl verify none

backend somewebsite
mode http
server somewebsite 192.168.5.40:80 check-ssl verify none
#...etc...

# Certbot backend
# Contains certbot stand-alone webserver
backend backend-certbot
mode http

server certbot 127.0.0.1:8888

Add your certificates

#certbot certonly --standalone -d cloud.yourdomain.com
#certbot certonly --standalone -d somewebsite.yourdomain.com
#certbot certonly --standalone -d www.somewebsite.yourdomain.com

Create your certs folder

mkdir /usr/local/etc/certs

Copy the certificates (we will automate this later)

cat /usr/local/etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem /usr/local/etc/letsencrypt/live/cloud.yourdomain.com/privkey.pem > /usr/local/etc/certs/cloud.yourdomain.com.pem

cat /usr/local/etc/letsencrypt/live/somewebsite.yourdomain.com/fullchain.pem /usr/local/etc/letsencrypt/live/somewebsite.yourdomain.com/privkey.pem > /usr/local/etc/certs/somewebsite.yourdomain.com.pem

cat /ust/local/etc/letsencrypt/live/www.somewebsite.yourdomain.com/fullchain.pem /usr/local/etc/letsencrypt/live/www.somewebsite.yourdomain.com/privkey.pem > /usr/local/etc/certs/www.somewebsite.yourdomain.com.pem

don't forget to modfy your /etc/rc.conf to enable haproxy

haproxy_enable="YES"

Then finally

#service haproxy restart

Sign up for more like this.

Enter your email
Subscribe