HAProxy
Using HAProxy to proxy for Open Peer Power allows you to serve Open Peer Power securely over standard ports with HTTP to HTTPS redirection.
Install HAProxy on your server
This will vary depending on your OS. Check out Google for this.
Obtain an SSL certificate
There are multiple ways of obtaining an SSL certificate. Let’s Encrypt is one method. Use Google for this, but a good example of using Certbot can be found here.
HAPRoxy Configuration
The following configuration updates HAProxy defaults for more secure ciphers for SSL and logging and connection timeouts.
Items to update for your deployment:
bind
: Update the ports HAProxy listens on for forwarding.subdomain.domain.com
: Your domain to usessl crt
: The path to your SSL certificate.server opp 127.0.0.1:8123
: The IP and port location of your Open Peer Power instance.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 60000 # long enough for websocket pings every 55 seconds
timeout http-request 5s # protection from Slowloris attacks
frontend www-http
bind *:80
redirect scheme https
frontend www-https
log /dev/log local0 debug
bind *:443 ssl crt /etc/haproxy/certs/MYCERT.pem
acl opp-acl hdr(host) -i SUBDOMAIN.DOMAIN.COM
use_backend opp-backend if opp-acl
backend opp-backend
server opp < Open Peer Power Server IP>:8123
mode http
option forwardfor
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 443
Forward Ports
Forward ports 443 and (optionally) 80 to your server on your router.
Do not forward port 8123, HAProxy takes care of securing the connection with HTTPS on 443. If 8123 is forwarded then it will not be secured.
Replace 443 with whatever port you chose to bind to in the configuration if different.
Configure Open Peer Power HTTP Component
In your configuration.yaml
file, edit the HTTP component.
http:
# For extra security set this to only accept connection on localhost if HAProxy is on the same machine
# server_host: 127.0.0.1
# Update this line to be your domain
base_url: https://example.com
use_x_forwarded_for: true
# You must set the trusted proxy IP address so that Open Peer Power will properly accept connections
# Set this to your HAProxy machine IP, or localhost if hosted on the same machine.
trusted_proxies: <HAProxy IP address here, 127.0.0.1 if same machine>
Restart or Reload HAProxy
Use your OS method of restarting or reloading HAProxy. Use Google for this.