mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:01:31 +00:00
Shankar
7d281a14c4
Pre-2.1.0 adoption polish delivering all four milestones: A) Demo Data Overhaul — seed_demo.sql rewritten with 35 certs across 5 issuers, 8 agents, 8 targets, 50+ jobs spanning 90 days, 55+ audit events, discovery scans, network scan targets, S/MIME cert. B) Examples Directory — 5 turnkey docker-compose configs: acme-nginx, acme-wildcard-dns01, private-ca-traefik, step-ca-haproxy, multi-issuer. C) Migration Guides — migrate-from-certbot.md, migrate-from-acmesh.md, certctl-for-cert-manager-users.md. D) Agent Install Script — install-agent.sh with cross-platform support (Linux systemd + macOS launchd), release.yml updated for 6-target cross-compilation. Triple-audited against codebase: 22 factual corrections applied across docs, examples, and config (env var names, CLI flags, ports, DNS hook interface, scheduler loop counts, license conversion date). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
70 lines
1.9 KiB
INI
70 lines
1.9 KiB
INI
global
|
|
log stdout local0
|
|
log stdout local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# Default SSL options for modern TLS
|
|
tune.ssl.default-dh-param 2048
|
|
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2
|
|
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
# Statistics endpoint (accessible on port 8080)
|
|
listen stats
|
|
bind *:8080
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 30s
|
|
stats admin if TRUE
|
|
|
|
# Example HTTPS frontend with certificate from certctl
|
|
# This frontend will serve HTTPS on port 443 using a combined PEM file
|
|
# deployed by certctl to /etc/haproxy/ssl/cert.pem
|
|
frontend https_in
|
|
# HTTP redirect to HTTPS
|
|
bind *:80
|
|
mode http
|
|
acl is_http hdr(X-Forwarded-Proto) http
|
|
redirect scheme https code 301 if !is_https
|
|
|
|
# HTTPS with certificate
|
|
# In production, certctl will manage cert.pem and reload HAProxy after deployment
|
|
bind *:443 ssl crt /etc/haproxy/ssl/cert.pem strict-sni
|
|
mode http
|
|
option httplog
|
|
|
|
# Default backend
|
|
default_backend http_backend
|
|
|
|
# Example backend (simple web service placeholder)
|
|
backend http_backend
|
|
mode http
|
|
option httpchk GET /
|
|
server local_app 127.0.0.1:8000 check disabled
|
|
|
|
# Health endpoint (useful for certctl agent deployment verification)
|
|
frontend health
|
|
bind *:9999
|
|
mode http
|
|
monitor-uri /health
|