Let's Encrypt Automation Daemon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
maze.io apt signing key ec71648702 Tabfix 2 vuotta sitten
debian Tabfix 2 vuotta sitten
hook Initial import 2 vuotta sitten
.gitignore Initial commit 2 vuotta sitten
LICENSE Initial commit 2 vuotta sitten
README.md Typofix 2 vuotta sitten
build.sh Make executable 2 vuotta sitten
changelog.sh Added changelog.sh 2 vuotta sitten
checker.go Initial import 2 vuotta sitten
config.go Initial import 2 vuotta sitten
lead.conf.example Added example config 2 vuotta sitten
lead.go Debian stuffs 2 vuotta sitten
logger.go Initial import 2 vuotta sitten
manager.go Initial import 2 vuotta sitten
server.go Initial import 2 vuotta sitten
util.go Initial import 2 vuotta sitten

README.md

lead

LetsEncrypt Automation Daemon

About

LEAD automagically requests configured certificates and keeps them up to date.

Requests received on HTTP will be redirected to their HTTPS ports.

Example

An example configuration can be found in lead.conf.example.

Setup

A simple haproxy example may look like follows, it loads bundles dropped by LEAD from /etc/lead/bundles/:

global
log         /dev/log local0
chroot      /var/lib/haproxy
stats       socket /var/run/haproxy.sock mode 666 level admin
stats       timeout 30s
user        haproxy
group       haproxy
daemon

ca-base     /etc/ssl/certs
crt-base    /etc/lead/bundles

ssl-default-bind-ciphers AES:ALL:!aNULL:!eNULL:!DES:!RC4:!DHE:!EDH:!MD5:!PSK:!aECDH:@STRENGTH
ssl-default-bind-options no-sslv3

defaults
    log         global
    mode        http
    option      dontlognull
    timeout     connect 5000
    timeout     client 50000
    timeout     server 50000
    errorfile   400 /etc/haproxy/errors/400.http
    errorfile   403 /etc/haproxy/errors/403.http
    errorfile   408 /etc/haproxy/errors/408.http
    errorfile   500 /etc/haproxy/errors/500.http
    errorfile   502 /etc/haproxy/errors/502.http
    errorfile   503 /etc/haproxy/errors/503.http
    errorfile   504 /etc/haproxy/errors/504.http

frontend http
    bind            :80
    reqadd          X-Forwarded-Proto:\ http
    default_backend lead-http

backend webserver
    mode            http
    balance         roundrobin
    option          forwardfor
    http-request    set-header X-Forwarded-Port %[dst_port]
    http-request    add-header X-Forwarded-Proto https if { ssl_fc }
    option          httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server          server-a 172.23.40.83:80 check
    server          server-a 172.23.40.84:80 check

frontend https-loop
    bind            127.4.4.3:8443 ssl crt /etc/lead/bundles/ npn spdy/2
    mode            tcp
    default_backend webserver

frontend https
    bind            :443
    mode            tcp
    option          tcplog

    acl             sni.lead req.ssl_sni -m end .acme.invalid
    acl             sni      req.ssl_sni -m found
    acl             tls      req.ssl_hello_type 1

    tcp-request     inspect-delay 5s
    tcp-request     content accept if tls

    use_backend     lead if sni.lead
    default_backend https-loop

backend https-loop
    mode            tcp
    option          tcplog
    server          127.4.4.3:8443

backend lead
    mode            tcp
    server          lead 127.0.0.1:7443 check

backend lead-http
    mode            http
    option          forwardfor
    server          lead 127.0.0.1:7080 check