b657776892
P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) |
||
|---|---|---|
| .. | ||
| haproxy.cfg | ||
| README.md | ||
HAProxy Configuration
Production (haproxy.cfg)
- HTTP (port 80): Redirects all traffic to HTTPS (301)
- HTTPS (port 443): Serves traffic with TLS. Certificates from
config/ssl/mounted at/etc/ssl/veza/ - Stats (port 8404): Restricted to localhost and Docker network (172.20.0.0/16)
SSL Certificates
Before starting production, add at least one certificate to config/ssl/. See config/ssl/README.md for instructions.
For quick local testing with self-signed cert:
cd config/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout key.pem -out cert.pem -subj "/CN=veza.local"
cat cert.pem key.pem > veza.pem
Development Without HTTPS
For local development without SSL, use docker-compose.yml (not prod) or create a haproxy.dev.cfg that omits the HTTPS frontend and HTTP redirect.