§2024-06-04
Use HAPrpxy as load balancer.
- USGFLEX200 setup
- WAN/LAN1/any --> pi2Nginx(192.168.48.249). all pi2Nginx_secrvice
- HighPorts is TCP/43000-48500
¶ http://munetaka.me:80 ---> http://munetaka:8080 server by nginx
- Install nginx
$ sudo apt insall -y nginx
1.01. /etc/nginx/nginx.conf,
- backup
alexlai@pi3HAProxy:~$ sudo cp -v /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
'/etc/nginx/nginx.conf' -> '/etc/nginx/nginx.conf.backup'
- new nginx.conf as the /etc/nginx/nginx.conf.backup
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
1.01 create updtream-8080 in /etc/nginx/site-avail/
-
# mkdir /etc/nginx/site-availmake the directory first -
/etc/nginx/sites-available/upstream-8088 as,
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html/;
index index.html;
}
}
- /usr/share/nginx/html/index.html as,
- original in /usr/share/nginx/html/index.html.backup
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>pi2Nginx.Munetaka.me</title>
<!--
<link rel="stylesheet" href="./style.css">
<link rel="icon" href="./favicon.ico" type="image/x-icon">
-->
<style>
html { color-scheme: light dark; }
body { width: 85em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
table {
width: 100%;
}
</style>
</head>
<body>
<main>
<h1>ようこそpi2Nginx.Munetaka.meへ Powered by Archlinux on a Raspberry Pi 3 Model B</h1>
</main>
<!-- <script src="index.js"></script> -->
<h2>If you see this page, the nginx web server is successfully installed and working.</h2>
<hr>
<h3>Nginx Reverse Proxy Sites</h3>
<table border = "1">
<tr>
<th><a href="https://munetaka.me:43410" target="_blank">玉雪工作, h2nas03.yushei.com.tw:43410</a></th>
<th><a href="https://munetaka.me:43885" target="_blank">https://munetaka.me:43885 --> JupyterHub@chingyen.com.tw:42101</a></th>
<th><a href="https://munetaka.me:43883" target="_blank">https://munetaka.me:43883 --> JupyterHub@munetaka.me:42101</a></th>
</tr>
<tr>
<th><a href="https://munetaka.me:43888" target="_blank">Nginx Diretory Listing, h2nas01.yushei.net:43888</a></th>
<th><a href="https://h2jammy.yushei.net:43889/" target="_blank">Caddy Diretory Listing, Markdown, h2jammy.yushei.net:43889</a></th>
<th><a href="https://munetaka.me:47007" target="_blank">Marine Log,h2Jammy.yushei.net:47007</a></th>
</tr>
<tr>
<th><a href="https://munetaka.me:47015" target="_blank">Dragonfly28Raymarine,hc4nas02.yushei.net:47015</a></th>
<th><a href="https://munetaka.me:48001" target="_blank">pgAdmin4,h2Jammy.yushei.net:5050</a></th>
<th><a href="https://chatgpt.com/?oai-dm=1" target="_blank">ChatGPT</a></th>
</tr>
<tr>
<th><a href="https://munetaka.me:45103" target="_blank">Reverse Proxy NextCloud@hc4noble.yushei.net:45101</a></th>
<th><a href="https://munetaka.me:43103" target="_blank">Reverse Proxy NextCloud@hc4nas02.yushei.net:43101</a></th>
<th></th>
</tr>
</table>
<hr>
<h3>Local Area Network 192.168.0.0/26</h3>
<table border = "1">
<tr>
<th><a href=" http://h2nas03.yushei.com.tw:43410" target="_blank">玉雪工作, h2nas03.yushei.com.tw:43410</a></th>
<th><a href="http://chingyen.com.tw:42101" target="_blank">JupyterHub@chingyen.com.tw:42101</a></th>
<th><a href="http://munetaka.me:42101" target="_blank">JupyterHub@munetaka.me:42101</a></th>
</tr>
<tr>
<th><a href="http" target="_blank">Nginx Diretory Listing, h2nas01.yushei.net:43888</a></th>
<th><a href="http://h2jammy.yushei.net:43889/" target="_blank">Caddy Diretory Listing, Markdown, h2jammy.yushei.net:43889</a></th>
<th><a href="http://,h2Jammy.yushei.net:47007" target="_blank">Marine Log,h2Jammy.yushei.net:47007</a></th>
</tr>
<tr>
<th><a href="http://hc4nas02.yushei.net:470155" target="_blank">Dragonfly28Raymarine,hc4nas02.yushei.net:47015</a></th>
<th><a href="http://h2Jammy.yushei.net:5050" target="_blank">pgAdmin4,h2Jammy.yushei.net:5050</a></th>
<th><a href="https://chatgpt.com/?oai-dm=1" target="_blank">ChatGPT</a></th>
</tr>
<tr>
<th><a href="http://hc4noble.yushei.net:45101" target="_blank">NextCloud@hc4noble.yushei.net:45101</a></th>
<th><a href="http://hc4nas02.yushei.net:43101" target="_blank">NextCloud@hc4nas02.yushei.net:43101</a></th>
<th></th>
</tr>
</table>
<hr>
<h3>日本語の勉強のために</h3>
<table border = "1">
<tr>
<th><a href="https://www.asahi.com/rensai/list.html?id=61" target="_blank">天声人語一覧</a></th>
<th><a href="https://sakura-paris.org/dict/" target="_blank">広辞苑無料検索</a></th>
<th><a href="https://www.deepl.com/translator" target="_blank">Deepl 翻訳</a></th>
<th><a href="https://translate.google.com/"target="_blank">Google 翻訳</a></th>
<tr>
<tr>
<th><a href="http://nihongo.monash.edu/cgi-bin/wwwjdic?1C" target="_blank">Jim Breen</a></th>
<th><a href="https://yomikatawa.com/" target="_blank">読み方は?</a></th>
<th><a href="https://kids.gakken.co.jp/jiten/" target="_blank">キッズネット</a></th>
<th><a href="https://globe.asahi.com/" target="_blank">Globe+TheAsahiShimbun</a></th>
</tr>
<tr>
<th><a href="https://bunshun.jp/" target="_blank">週刊文春オンライン</a></th>
<th><a href="https://www.navita.co.jp/" target="_blank">Navita,エリアから探す</a></th>
<th><a href="https://www.navitime.co.jp/" target="_blank">Navitime,ナビタイムジャパン</a></th>
<th><a href="https://dictionary.goo.ne.jp/word/%E3%81%92%E3%82%93%E3%81%AA%E3%82%8A/#jn-70590" target="_blank">goo 辞典</a></th>
</tr>
<tr>
<th><a href="https://www.mapion.co.jp/m2/41.7773927,140.7404423,14" target="_blank">Mapion(マピオン)</a></th>
<th><a href="https://dnschecker.org/" target="_blank">The DNS Checker</a></th>
<th><a href="https://acnt.dual-d.net/cgi-bin/form.cgi?dict=daijrn" target="_blank">大辞林第三版</a></th>
<th><a href="https://kotobank.jp/search?q=%E7%BD%B5%E8%A9%88%E9%9B%91%E8%A8%80&t=ja" target="_blank">コトバンク</a></th>
</tr>
</table>
<hr>
<h3>JavaScript ジャバスクリプトは人生を3倍に、人生謳歌しませんか</h3>
<table border = "1">
<tr>
<th>ドキュメント</th>
<th><a href="https://developer.mozilla.org/en-US/" target="_blank">mozilla.org</a></th>
<th><a href="https://tc39.es/ecma262/" target="_blank"> ECMA-262 / August 4, 2023</a></th>
<th><a href="https://eloquentjavascript.net/" target="_blank">Eloquent JavaScript/3rd edition (2018)</a></th>
</tr>
</table>
<hr>
<h3>ヨットは人生を3倍に、人生謳歌しませんか</h3>
<table border = "1">
<tr>
<th>Forecast</th>
<th><a href="https://windy.com/" target="_blank">Windy.com</a></th>
<th><a href="https://predictwind.com" target="_blank">Prediwind.com</a></th>
<th><a href="https://windguru.cz" target="_blank">windguru.cz</a></th>
</tr>
<tr>
<th>Chart</th>
<th><a href="https://map.openseamap.org/" target="_blank">OpenSeaMap, trip planner</a></th>
<th><a href="https://alpha.openseamap.org/" target="_blank">OpenSeaMap, Alpha </a></th>
<th><a href="https://www.openstreetmap.org/#map=8/23.611/120.768/" target="_blank">OpenStreetMap</a></th>
</tr>
<tr>
<th>Bali Catamaran</th>
<th><a href="https://www.bali-catamarans.com/en/bali-catamarans-compare/">Compare Bali Ctamarans</a></th>
<th><a href="https://bali-catamarans.hr/en/models#" target="_blank">Bali Model Range </a></th>
<th><a href="https://bali-catamarans.hr/en/used-boats" target="_blank">Used Bali</a></th>
</tr>
</table>
<hr>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.<em>Thank you for using nginx.</em></p>
</body>
</html>
1.02 create a link
root@pi3HAProxy:/etc/nginx/sites-enabled# ln -sf /etc/nginx/sites-available/upstream-8088 upstream-8088
root@pi3HAProxy:/etc/nginx/sites-enabled# ls -l
total 0
lrwxrwxrwx 1 root root 34 Jun 4 19:11 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 40 Jun 4 19:34 upstream-8088 -> /etc/nginx/sites-available/upstream-8088
1.03. systemctl restart nginx and
root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl restart nginx
root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-06-04 19:35:48 CST; 5s ago
Docs: man:nginx(8)
Process: 1543 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1545 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 1546 (nginx)
Tasks: 5 (limit: 710)
Memory: 3.5M (peak: 4.1M)
CPU: 181ms
CGroup: /system.slice/nginx.service
├─1546 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
├─1547 "nginx: worker process"
├─1548 "nginx: worker process"
├─1549 "nginx: worker process"
└─1550 "nginx: worker process"
Jun 04 19:35:48 pi3HAProxy.munetaka.me systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...
Jun 04 19:35:48 pi3HAProxy.munetaka.me systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.
1.04 test
- http://munetaka.me, old not modified yet,
- Set up HAProxy to do load balance,
2.1. install HAproxy
$ sudo apt install -y haproxy
2.2. backup
# sudo cp -v /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.backup '/etc/haproxy/haproxy.cfg' -> '/etc/haproxy/haproxy.cfg.backup
2.2. /etc/haproxy/haproxy.conf as,
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 404 /etc/haproxy/errors/404.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:80
default_backend http_back
backend http_back
server nginx_server 127.0.0.1:8080 check
2.3. test then restart
root@pi3HAProxy:/etc/nginx/sites-enabled# haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl restart haproxy
root@pi3HAProxy:/etc/nginx/sites-enabled# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-06-04 19:49:58 CST; 6s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Main PID: 1964 (haproxy)
Status: "Ready."
Tasks: 5 (limit: 710)
Memory: 39.3M (peak: 40.0M)
CPU: 770ms
CGroup: /system.slice/haproxy.service
├─1964 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
└─1966 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
Jun 04 19:49:58 pi3HAProxy.munetaka.me systemd[1]: Starting haproxy.service - HAProxy Load Balancer...
Jun 04 19:49:58 pi3HAProxy.munetaka.me haproxy[1964]: [NOTICE] (1964) : New worker (1966) forked
Jun 04 19:49:58 pi3HAProxy.munetaka.me haproxy[1964]: [NOTICE] (1964) : Loading success.
Jun 04 19:49:58 pi3HAProxy.munetaka.me systemd[1]: Started haproxy.service - HAProxy Load Balancer.
--
以下: kept for record
for archinux operation
& sudo mkdir /run/haproxy
$ sudo -R haproxy:haproxy /run/haproxy
[root@pi2NginxMuNeTaka alexlai]# systemctl restart haproxy
[root@pi2NginxMuNeTaka alexlai]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
Active: active (running) since Tue 2024-06-04 10:30:28 CST; 10s ago
Main PID: 7853 (haproxy)
Status: "Ready."
Tasks: 5 (limit: 1569)
CPU: 604ms
CGroup: /system.slice/haproxy.service
├─7853 /usr/bin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
└─7855 /usr/bin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
Jun 04 10:30:27 pi2NginxMuNeTaka systemd[1]: Starting HAProxy Load Balancer...
Jun 04 10:30:28 pi2NginxMuNeTaka haproxy[7853]: [NOTICE] (7853) : New worker (7855) forked
Jun 04 10:30:28 pi2NginxMuNeTaka haproxy[7853]: [NOTICE] (7853) : Loading success.
Jun 04 10:30:28 pi2NginxMuNeTaka systemd[1]: Started HAProxy Load Balancer.
if
[/usr/bin/haproxy.main()] Cannot chroot(/var/lib/haproxy).when start haproxy then
sudo mkdir -p /var/lib/haproxy
sudo chown haproxy:haproxy /var/lib/haproxy
sudo chmod 755 /var/lib/haproxy
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
2.4. test with http://munetaka.me:80
3.0. Let's encryupt
- using CertBolt
Yes, my web server is not currently running on this machine. Stop your webserver, then run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine.
sudo certbot certonly --standalone
$ sudo pacman -Rns cerbot certbot-nginx
# pacman -S certbot
on munetaka.me the certificate is specifically for nginx, delete and restart
[root@pi2NginxMuNeTaka letsencrypt]# sudo certbot revoke --cert-name munetaka.me --reason keycompromise <-- remove old munetaka.me
[root@pi2NginxMuNeTaka letsencrypt]# certbot delete --cert-name munetaka.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:
* munetaka.me
WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.
Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Deleted all files relating to certificate munetaka.me.
[root@pi2NginxMuNeTaka letsencrypt]# rm -rf /etc/letsencrypt/live/*
[root@pi2NginxMuNeTaka letsencrypt]# certbot certonly --standalone -d munetaka.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for munetaka.me
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/munetaka.me/fullchain.pem
Key is saved at: /etc/letsencrypt/live/munetaka.me/privkey.pem
This certificate expires on 2024-09-02.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@pi2NginxMuNeTaka letsencrypt]# ls -l /etc/letsencrypt/live/munetaka.me/
total 4
lrwxrwxrwx 1 root root 35 Jun 4 13:39 cert.pem -> ../../archive/munetaka.me/cert1.pem
lrwxrwxrwx 1 root root 36 Jun 4 13:39 chain.pem -> ../../archive/munetaka.me/chain1.pem
lrwxrwxrwx 1 root root 40 Jun 4 13:39 fullchain.pem -> ../../archive/munetaka.me/fullchain1.pem
lrwxrwxrwx 1 root root 38 Jun 4 13:39 privkey.pem -> ../../archive/munetaka.me/privkey1.pem
-rw-r--r-- 1 root root 692 Jun 4 13:39 README
[root@pi2NginxMuNeTaka letsencrypt]# ls -l /etc/letsencrypt/archive/munetaka.me
total 16
-rw-r--r-- 1 root root 1480 Jun 4 13:39 cert1.pem
-rw-r--r-- 1 root root 1826 Jun 4 13:39 chain1.pem
-rw-r--r-- 1 root root 3306 Jun 4 13:39 fullchain1.pem
-rw------- 1 root root 241 Jun 4 13:39 privkey1.pem
3.1. combine keys to be used for haproxy
[root@pi2NginxMuNeTaka letsencrypt]# sudo cat /etc/letsencrypt/live/munetaka.me/fullchain.pem /etc/letsencrypt/live/munetaka.me/privkey.pem > /etc/letsencrypt/live/munetaka.me/haproxy.pem
[root@pi2NginxMuNeTaka letsencrypt]# sudo chmod 600 /etc/letsencrypt/live/munetaka.me/haproxy.pem
And /etc/haproxy/haproxy.conf as,
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
# ubuntu uses /etc/haproxy/errors/ directories
# the followings are for ubuntu
errorfile 400 /usr/share/haproxy/examples/errorfiles/400.http
errorfile 403 /usr/share/haproxy/examples/errorfiles/403.http
# HAProxy does not inherently generate 404 errors but can relay them from backend servers to clients.
# errorfile 404 /usr/share/haproxy/examples/errorfiles/404.http
errorfile 408 /usr/share/haproxy/examples/errorfiles/408.http
errorfile 500 /usr/share/haproxy/examples/errorfiles/500.http
errorfile 502 /usr/share/haproxy/examples/errorfiles/502.http
errorfile 503 /usr/share/haproxy/examples/errorfiles/503.http
errorfile 504 /usr/share/haproxy/examples/errorfiles/504.http
frontend https_front
# bind *:443 ssl crt /etc/letsencrypt/live/munetaka.me/fullchain.pem key /etc/letsencrypt/live/munetaka.me/privkey.pem
bind *:443 ssl crt /etc/letsencrypt/live/munetaka.me/haproxy.pem
default_backend local_nginx
backend local_nginx
option ssl-hello-chk
server nginx_server 127.0.0.1:8080 ssl verify none
3.2. check haproxy.conf
[root@pi2NginxMuNeTaka letsencrypt]# haproxy -c -V -f /etc/haproxy/haproxy.cfg
Configuration file is valid
[root@pi2NginxMuNeTaka alexlai]# cp -v /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.http '/etc/haproxy/haproxy.cfg' -> '/etc/haproxy/haproxy.cfg.http'
[root@pi2NginxMuNeTaka alexlai]# nano /etc/haproxy/haproxy.cfg [root@pi2NginxMuNeTaka alexlai]# diff /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.http 31,33c31,33 < frontend https_front < bind *:443 ssl crt /etc/letsencrypt/live/munetaka.me/fullchain.pem key /etc/letsencrypt/live/munetaka.me/privkey.pem < default_backend local_nginx
frontend http_front bind *:80 default_backend http_back 35,37c35,36 < backend local_nginx < option ssl-hello-chk < server nginx_server 127.0.0.1:8080 ssl verify none
backend http_back server nginx_server 127.0.0.1:8080 check
3.2. check
$ sudo systemctl restart haproxy
3.5. make backend server https://munetaka.me:443 ---> localhost:8080
update /etc/nginx/sites-avaliable/upstream-8088 as
[root@pi2NginxMuNeTaka alexlai]# cp -v /etc/nginx/sites-avaliable/upstream-8088 /etc/nginx/sites-avaliable/upstream-8088.backup '/etc/nginx/sites-avaliable/upstream-8088' -> '/etc/nginx/sites-avaliable/upstream-8088.backup' [root@pi2NginxMuNeTaka alexlai]# nano /etc/nginx/sites-avaliable/upstream-8088 [root@pi2NginxMuNeTaka alexlai]# diff /etc/nginx/sites-avaliable/upstream-8088 /etc/nginx/sites-avaliable/upstream-8088.backup 2c2 < listen 8080 ssl;
listen 8080;
4,7d3 < < # generated by CertBolt, https://certbot.eff.org/ < ssl_certificate /etc/letsencrypt/live/munetaka.me/fullchain.pem; < ssl_certificate_key /etc/letsencrypt/live/munetaka.me/privkey.pem;
> verify haproxy -c -V -f /etc/haproxy/haproxy.cfg
[root@pi2NginxMuNeTaka alexlai]# haproxy -c -V -f /etc/haproxy/haproxy.cfg [NOTICE] (7920) : haproxy version is 2.9.7-5742051 [NOTICE] (7920) : path to executable is /usr/bin/haproxy [ALERT] (7920) : config : parsing [/etc/haproxy/haproxy.cfg:32] : 'bind *:443' in section 'frontend' : No Private Key found in '/etc/letsencrypt/live/munetaka.me/fullchain.pem.key'. [ALERT] (7920) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] (7920) : config : Fatal errors found in configuration. 3.3. restart nginx
[root@pi2NginxMuNeTaka alexlai]# systemctl restart nginx [root@pi2NginxMuNeTaka alexlai]# systemctl status nginx ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled) Active: active (running) since Tue 2024-06-04 10:47:43 CST; 6s ago Process: 7881 ExecStart=/usr/bin/nginx (code=exited, status=0/SUCCESS) Main PID: 7883 (nginx) Tasks: 5 (limit: 1569) CPU: 215ms CGroup: /system.slice/nginx.service ├─7883 "nginx: master process /usr/bin/nginx" ├─7884 "nginx: worker process" ├─7885 "nginx: worker process" ├─7886 "nginx: worker process" └─7887 "nginx: worker process"
Jun 04 10:47:43 pi2NginxMuNeTaka systemd[1]: Starting A high performance web server and a reverse proxy server... Jun 04 10:47:43 pi2NginxMuNeTaka systemd[1]: Started A high performance web server and a reverse proxy server.
3.4. restart haproxy.service
check https://munetaka.me:8080 amd https://munetaka.me:443