b103a09a25
- CI: workflows updates (cd, ci), remove playwright.yml - E2E: global-setup, auth/playlists/profile specs - Remove playwright-report and test-results artifacts from tracking - Backend: auth, handlers, services, workers, migrations - Frontend: components, features, vite config - Add e2e-results.json to gitignore - Docs: REMEDIATION_PROGRESS, audit archive - Rust: chat-server, stream-server updates
42 lines
1.2 KiB
Markdown
42 lines
1.2 KiB
Markdown
# HAProxy SSL Certificates
|
|
|
|
**Never commit private keys (`.key`) or certificate files (`.pem`) to git.**
|
|
|
|
This directory holds SSL certificates for HAProxy HTTPS. The files are gitignored.
|
|
|
|
## Generating Certificates Locally
|
|
|
|
### Self-Signed (Development/Staging)
|
|
|
|
From the repository root:
|
|
|
|
```bash
|
|
cd docker/haproxy/certs
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
|
|
-keyout veza.key -out veza.crt -subj "/CN=veza.local"
|
|
cat veza.crt veza.key > veza.pem
|
|
```
|
|
|
|
Or use the project script (creates in `config/ssl/` — copy to this dir if needed):
|
|
|
|
```bash
|
|
./scripts/generate-ssl-cert.sh veza.local
|
|
# Then: cp config/ssl/veza.pem config/ssl/key.pem config/ssl/cert.pem docker/haproxy/certs/
|
|
```
|
|
|
|
### Production (Let's Encrypt)
|
|
|
|
```bash
|
|
certbot certonly --standalone -d yourdomain.com
|
|
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
|
|
/etc/letsencrypt/live/yourdomain.com/privkey.pem > docker/haproxy/certs/veza.pem
|
|
```
|
|
|
|
## Certificate Rotation
|
|
|
|
If a private key may have been exposed:
|
|
|
|
1. Generate new certificate and key (commands above).
|
|
2. Replace `veza.pem`, `veza.key`, `veza.crt` in this directory.
|
|
3. Restart HAProxy.
|
|
4. Document rotation in `veza-docs/` if applicable.
|