PREREQUISITES
Godaddy sent me this Unique ID along with instructions how to verify https://www.godaddy.com/help/verify-domain-ownership-html-or-dns-7452
gotrk05351r51q72butu6oggcr
to verify through HTML Page create the directories godaddy requested from you
$ sudo mkdir /usr/share/nginx/html/.well-known
$ sudo mkdir /usr/share/nginx/html/.well-known/pki-validation
copy paste the unique id
$ sudo vi /usr/share/nginx/html/.well-known/pki-validation/godaddy.html
v2asb963nb732eaf8cf03lc0d4
then go to this link, you should be able to see it.
https://moodle.na.edu/.well-known/pki-validation/godaddy.html
v2asb963nb732eaf8cf03lc0d4
go back to the godaddy Certificate Request Verification page and click Check My Update, you should see a green validation response that says
We have verified your domain. Please allow 5-10 minutes for this to take affect.
SETUP SSL
create the key
$ sudo openssl genrsa -out moodle2017.key 2048
create the csr
$ sudo openssl req -new -key moodle2017.key -out moodle2017.csr
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:TEXAS Locality Name (eg, city) [Default City]:HOUSTON Organization Name (eg, company) [Default Company Ltd]:NORTH AMERICAN UNIVERSITY Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:moodle.na.edu Email Address []:msen@na.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
now verify the csr file, but that does only means that csr is OK, you don’t do anything with this
$ openssl req -text -noout -verify -in moodle2017.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=TEXAS, L=HOUSTON, O=NORTH AMERICAN UNIVERSITY, OU=IT, CN=moodle.na.edu/emailAddress=msen@na.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
01:9e:2c:83:4f:18:44:22:35:54:67:8e:12:34:b2:
7a:a9:b3:f2:88:7f:4f:61:66:22:b0:57:f5:f4:52:
25:5a:db:ab:25:e5:11:4f:98:72:52:b3:89:05:79:
93:5a:4f:74:e3:a0:e3:81:09:a4:61:8d:9f:6b:11:
0c:10:9c:ef:b9:53:98:51:69:71:06:36:3b:c7:f2:
d7:ab:0b:b6:f9:60:c5:cf:99:41:ce:7e:a5:a0:f9:
32:cd:0c:5e:38:7d:84:fc:97:f2:cb:2b:23:d9:33:
88:3e:97:25:ac:39:6e:fc:8e:31:1d:7b:0e:d8:07:
ef:42:4d:4d:a1:d6:67:40:a7:c2:70:47:6c:c2:55:
f8:81:bf:04:a7:3c:4d:62:eb:d2:96:29:e5:2f:c3:
90:dc:2a:6f:9b:b6:b7:f6:11:51:50:37:51:12:53:
db:71:4d:65:4d:bb:c2:67:1c:64:8d:21:32:af:03:
c3:82:8b:5f:e0:f5:16:e0:1b:92:96:33:7f:db:d7:
32:a8:7b:f5:b8:fc:51:80:04:a0:31:80:2f:4d:23:
03:ad:a9:16:8c:2c:94:78:d0:18:37:2d:f5:6b:b4:
38:b5:32:e3:69:01:71:cb:89:b4:4d:40:f9:08:08:
0e:01:86:27:92:e3:62:48:cb:c2:9f:2d:17:d9:d3:
76:b7
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
0f:2c:0f:c5:ea:db:65:a9:0c:9e:07:4f:d7:91:e1:9e:fe:8c:
11:08:03:db:78:20:47:dc:fb:93:07:b7:34:7a:1b:4d:71:ec:
37:f1:76:f3:9f:35:6f:43:bf:6a:c1:52:97:04:b6:04:5f:e1:
24:b4:e4:5a:c2:6f:98:7e:47:dc:58:07:92:79:f2:31:e9:45:
4e:81:fc:5d:a6:ab:46:3b:c9:90:28:78:c9:41:1a:48:40:f5:
bf:d8:25:96:e6:b2:0c:1f:61:2f:0e:bb:57:af:9b:65:5d:79:
51:12:0e:90:fe:d4:da:5f:9b:fc:a3:e3:97:c1:f7:de:46:58:
4a:11:e7:84:b4:49:1f:4e:07:f1:44:35:d3:36:be:f4:67:63:
e9:01:55:f2:53:49:ac:3b:b2:69:51:ef:1c:a8:a6:4c:13:10:
90:47:34:96:42:3d:34:49:aa:44:65:41:15:4f:40:be:b1:b1:
30:9b:dc:ca:26:4b:8d:99:a3:bd:d4:20:f5:d6:a2:58:5f:da:
34:8c:e0:4b:4a:b9:c0:bc:2d:32:a3:5e:55:e9:46:d9:c4:ed:
8f:cb:8f:68:d7:cf:91:95:7b:78:55:a9:fd:5e:0d:49:43:7a:
65:1c:dc:15:bf:91:af:5d:2c:cc:bb:c5:68:3c:72:b9:79:44:
6b:aa:79:38
I gave the content of the new generated moodle2017.csr to Khudoyor
$ sudo vi moodle2017.csr
-----BEGIN CERTIFICATE REQUEST----- NIIC2jCCAcICAQAwgZQxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVURVhBUzEQMA4G A1UEBwwHSE9VU1RPTjEiMCAGA1UECgwZTk9SVEggQU1FUklDQU4gVU5JVkVSU0lU WTELMAkGA1UECwwCSVQxFjAUBgNVBAMMDW1vb2RsZS5uYS5lZHUxGjAYBgkqhkiG 9w0BCQEWC21zZW5AbmEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAniyTTxhEIjVUZ44SNLJ6qbPyiH9PYWYisFf19FIlWturJeURT5hyUrOJBXmT Wk9046DjgQmkYY2faxEMEJzvuVOYUWlxBjY7x/LXqwu2+WDFz5lBzn6loPkyzQxe OH2E/Jfyyysj2TOIPpclrDlu/I4xHXsO2AfvQk1NodZnQKfCcEdswlX4gb8EpzxN YuvSlinlL8OQ3Cpvm7a39hFRUDdRElPbcU1lTbvCZxxkjSEyrwPDgotf4PUW4BuS ljN/29cyqHv1uPxRgASgMYAvTSMDrakWjCyUeNAYNy31a7Q4tTLjaQFxy4m0TUD5 CAgOAYYnkuNhSMvCna0X2dN2twIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA8s D8Xq22WpDJ4HT9eR4Z7+jBEIA9t4IEfc+5MHtzR6G01x7DfxdvOfNW9Dv2rBUpcE tgRf4SS05FrCb5h+R9xYB5J58jHpRU6B/F2mq0Y7yZAoeMlBGkhA9b/YJZbmsgwf cS8Ou1evm2VdeVESDpD+1Npfm/yj45fB995GWEoR54S0SR9OB/FENdM2vvRnY+kB VfJTSaw7smlR7xyopkwTEJBHNJZCPTRJqkRlQRVPQL6xsTCb3MomS42Zo73UIPXW olhf2jSM4EtKucC8LTKjXlXpRtnE7Y/Lj2jXz5GVe3hVqf1eDUlDemUc3BW/ka9d K8y7xWg8crl5RGuqeUg= -----END CERTIFICATE REQUEST-----
Khudoyor bought again the new crt and bundle file from godaddy which I renamed to moodle2017.crt and moodle2017_bundle.crt afterwards and moved only moodle2017.crt to haproxy3 /tmp/ folder using FileZilla. Then to /etc/pki/tls/certs/ folder. Actually we don’t do anything with moodle2017_bundle.crt but only with moodle2017.crt
let’s move the moodle2017 to certification folder
$ sudo mv /tmp/moodle2017.crt /etc/pki/tls/certs/
We generate and point moodle2017.pem file in haproxy config
$ sudo bash -c 'cat moodle2017.crt moodle2017.key > moodle2017.pem'
Finally, you only need to change the pem file name
$ sudo vi /etc/haproxy/haproxy.cfg
…………….
…………….
rontend main
bind *:80
mode http
# specify port and certs
bind *:443 ssl crt /etc/pki/tls/certs/moodle2017.pem
# adds the https header to the end of the incoming request
reqadd X-Forwarded-Proto:\ https
# a security policy to prevent against downgrade attacks
rspadd Strict-Transport-Security:\ max-age=31536000
option http-server-close
option forwardfor
default_backend webapp-main
……………
…………….
restart haproxy
$ sudo systemctl restart haproxy
see haproxy configs
$ haproxy -vv
Wait a little bit, then go to the browser and check it out!
the final haproxy config looks like this
$ sudo vi /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
# max per-process number of SSL connections
maxsslconn 2000
# set 2048 bits for Diffie-Hellman key
tune.ssl.default-dh-param 2048
#disable SSLv3 because it is not secure anymore
#ssl-default-bind-options no-sslv3
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2000
#---------------------------------------------------------------------
#HAProxy statistics backend
#---------------------------------------------------------------------
listen haproxy3-monitoring *:8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 2s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth username:password
stats admin if TRUE
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
mode http
# specify port and certs
bind *:443 ssl crt /etc/pki/tls/certs/moodle2017.pem
# adds the https header to the end of the incoming request
reqadd X-Forwarded-Proto:\ https
# a security policy to prevent against downgrade attacks
rspadd Strict-Transport-Security:\ max-age=31536000
option http-server-close
option forwardfor
default_backend webapp-main
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend webapp-main
mode http
# uncomment this later if you want to redirect only as https
#redirect scheme https if !{ ssl_fc }
balance roundrobin
server web1 10.10.4.21:80 maxconn 250 check
server web2 10.10.4.22:80 maxconn 250 check
