Nginx and HAproxy?


#1

Ok I have a server that is using REACT to serve up html pages. I am also using HAproxy to forward rtmp streams. And…I have installed nginx. Do I need separate certs for nginx and haproxy? Based on Lets Encrypt, they list nginx and haproxy as separate apps needing a cert?

Thanks,

Ray


#2

I don’t have experience with HAproxy (nor nginx for that matter :stuck_out_tongue:), but the most important question here will be: with which software will the client connect? I.e., what software will be the TLS endpoint? Most of the time, it will be the software which is connected to the internet with the non-TLS-endpoint software somewhere ‘behind’ it in the network.


#3

i.e are you using HAProxy for http too or just for rtmp?

If you’re using HAProxy for both, you just need a certificate in HAProxy. If you’re using only Nginx for http and not running it through HAProxy at all, you need a certificate for both.

The certificates do not need to be separate, but do need to list all relevant domain names. e.g. if you offer http at example.com and www.example.com and offer rtmp at rtmp.example.com and want to use one certificate it has to list all 3 names.


#4

Right now, haproxy just forwards incoming rtmp to an LXD container. The http is handled by the REACT based application. The video player is on the same server. I also have nginx installed that accesses the player and is supposed to display an iFrame with the video. I’m sure none of this makes a lot of sense. I just happen to notice in the firefix dev console that somewhere along the line when running the player, there is an https leg of the process and wonder if all legs must be https?


#5

If your main site uses HTTPS, all the resources it loads need to be over HTTPS. If your main site uses insecure HTTP, it can still load HTTPS resources, however. (This restriction probably isn’t enforced for RTMP though, Since RTMP is not supported by HTML5 <video>, your player is probably Flash-based. The Adobe Flash Player makes its own HTTP/HTTPS connections and isn’t restricted by your browser’s rules.)

At any rate, from the information given you would need a certificate for both your HAProxy server and your nginx server. They can use the same certificate if they run on the same domain name.

For example, with certbot you could configure SSL with nginx first automatically:

certbot --nginx -d yourdomain.com,www.yourdomain.com --deploy-hook 'cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > $RENEWED_LINEAGE/combined.pem'

And then manually configure HAProxy to use that certificate by adding an SSL binding to its configuration like:

bind *:443 ssl crt /etc/letsencrypt/live/yourdomain.com/combined.pem

The deploy hook is needed because certbot doesn’t create files in the format HAProxy uses by defualt. It’s important to use single quotes and not double quotes for that or your current shell will interpret the variables rather than the shell certbot runs the hook under and things won’t work properly.


#6

Awesome reply T.C. Appreciate it.

Ray


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.