Create SSL certificates on the fly with HAProxy. With the help of Lua the certificate is generated dynamically and transparently on the first request.
-
Internal Domains (HTTPS-only)
- No wildcard certs possible, because of domain structure with multiple different (sub)levels
-
Internal Root-CA which creates certs and is imported in clients (browsers etc.)
-
Tested with (at least) the following HAProxy LTS releases: 2.4.0, 2.2.0
-
HAProxy configs: Link
-
LUA script(s): Link
-
Install docker and docker-compose
-
Build all container-images from dockerfiles/ (
make build
) -
Choose your certificate generation method:
export GET_CERT_METHOD=localca
orexport GET_CERT_METHOD=http
- "get_cert_method"
-
docker-compose up -d
-
docker-compose logs -f haproxy
-
Direct your domain(s) to 127.0.0.1
-
Certificates should now be generated on the fly, client/browser should not display any warning
- Concurrency testing (Vegeta)
- DOC: Using a Intermediate CA with X.509 Name Constraints
- HAProxy multiple instances example for non-docker systems (maybe trough systemd)
-
Locking mechanism
- since HAProxy 1.8:
- Currently used: HAProxy maps + get/set via Lua
- Future: Use HAProxy stick-tables + get/set via Lua (maybe possible with HAProxy 1.9 ('get' is possible with 1.9: https://www.arpalert.org/src/haproxy-lua-api/1.9dev/index.html#sticktable-class), or connect with tcp socket to local tcp HAProxy socket to execute commands)
- since HAProxy 1.8:
-
Load an index of all existing certs in memory on HAProxy startup (Lua + HAProxy stick-tables or Lua + HAProxy maps). Would save the filesystem lookups (maybe not an improvement at all because of already existing filesystem cache)
-
Use 'luaossl" directly instead of openssl binary
-
Do not start HAProxy as root (execute supervisortcl via sudo as haproxy user)
-
Docker-specific: Mount (host-)volume for certs. If container is destroyed, certs doesnt have to generated again
-
Auth-header (token or something) for HTTP-method
-
Implement haproxy reload? (through supervisor?) - maybe faster than restart
- maybe try supervisor + "-W" from haproxy
-
Docker-specific: Two separate containers for the HAProxys (then maybe mount a volume with the certs into both containers)
-
Install bats:
sudo apt-get update && sudo apt-get -y install bats
-
make test
-
Run specific test
bats tests/$FILE.bats
- TimWolla/haproxy-auth-request /~https://github.com/TimWolla/haproxy-auth-request/blob/master/auth-request.lua