b657776892
P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults)
24 lines
845 B
Markdown
24 lines
845 B
Markdown
# HAProxy Configuration
|
|
|
|
## Production (haproxy.cfg)
|
|
|
|
- **HTTP (port 80)**: Redirects all traffic to HTTPS (301)
|
|
- **HTTPS (port 443)**: Serves traffic with TLS. Certificates from `config/ssl/` mounted at `/etc/ssl/veza/`
|
|
- **Stats (port 8404)**: Restricted to localhost and Docker network (172.20.0.0/16)
|
|
|
|
## SSL Certificates
|
|
|
|
Before starting production, add at least one certificate to `config/ssl/`. See `config/ssl/README.md` for instructions.
|
|
|
|
For quick local testing with self-signed cert:
|
|
|
|
```bash
|
|
cd config/ssl
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
|
-keyout key.pem -out cert.pem -subj "/CN=veza.local"
|
|
cat cert.pem key.pem > veza.pem
|
|
```
|
|
|
|
## Development Without HTTPS
|
|
|
|
For local development without SSL, use `docker-compose.yml` (not prod) or create a `haproxy.dev.cfg` that omits the HTTPS frontend and HTTP redirect.
|