#A/ OpenSSL-Gen-CERT.sh
#LastUpdate: #14:49 2020.09.25, #14:30 2020.09.25
############################################
#REF: https://gist.github.com/yuezhu/47b15b4b8e944221861ccf7d7f5868f5
############################################
#__________GLOBAL_VAR:BEGIN
SSL_CERT_LOC="."
mkdir -p $SSL_CERT_LOC
cd $SSL_CERT_LOC
/bin/rm -rf {*.crt,*.csr,*.key,*.pem}
MyDomain="ha.stats.local"
#__________GLOBAL_VAR:END
#A__________GEN_PRIVATE_KEY:BEGIN
# Generate a unique private key (KEY)
# sudo openssl genrsa -out $MyDomain.key 2048
#__________GEN_PRIVATE_KEY:END
#B__________GEN_CSR:BEGIN
# Generating a Certificate Signing Request (CSR)
#sudo openssl req -new -key $MyDomain.key -out $MyDomain.csr -config openssl.cnf
#__________GEN_CSR:END
#C=A+B:
COUNTRY_NAME="US"
STATE_NAME="CA"
LOCATION_NAME="CA"
ORG_NAME="ORG NAME"
ORG_UNIT_NAME="UNIT-InformationTechnologyCenter"
sudo openssl req -nodes \
-newkey rsa:2048 \
-keyout $MyDomain.key \
-out $MyDomain.csr \
-subj "/C=$COUNTRY_NAME/ST=$STATE_NAME/L=$LOCATION_NAME/O=$ORG_NAME/OU=$ORG_UNIT_NAME/CN=$MyDomain"
#D__________GEN_SELF_SIGNED_CERT:BEGIN
# Creating a Self-Signed Certificate (CRT)
openssl x509 -req -days 3650 -in $MyDomain.csr -signkey $MyDomain.key -out $MyDomain.crt
#__________GEN_SELF_SIGNED_CERT:END
#E__________GEN_PEM:BEGIN
# Append KEY and CRT to $MyDomain.pem
cat $MyDomain.key $MyDomain.crt >> $MyDomain.pem
#__________GEN_PEM:END
#F__________CHECK_SSL_CERT:BEGIN
#https://www.sslshopper.com/article-most-common-openssl-commands.html
#F.1:
echo "------------------------------------------"
echo "Check a Certificate Signing Request (CSR): [$MyDomain.csr]"
openssl req -text -noout -verify -in $MyDomain.csr
sleep 10
#F.2:
echo "------------------------------------------"
echo "Check a private key: [$MyDomain.key]"
openssl rsa -check -in $MyDomain.key
sleep 10
#F.3:
echo "------------------------------------------"
echo "Check a certificate: [$MyDomain.crt]"
openssl x509 -text -noout -in $MyDomain.crt
sleep 10
# #F.4:
# echo "------------------------------------------"
# echo "Check a PKCS#12 file (.pfx or .p12):"
# openssl pkcs12 -info -in $MyDomain.p12
#F.5:
for var_temp in *.pem;
do
echo "------------------------------------------"
echo 'CREATED SSL CERT: ['$var_temp']':
openssl x509 -noout -dates -in $var_temp
done
echo "------------------------------------------"
#sleep 10
echo "CREATED SSL SELF CERT: DONE"
echo ""
#__________CHECK_SSL_CERT:END
#THE_END
#CHECK SSL CERT:
#https://support.acquia.com/hc/en-us/articles/360004119234-Verifying-the-validity-of-an-SSL-certificate
# openssl x509 -noout -modulus -in $MyDomain.pem | openssl md5
# openssl rsa -noout -modulus -in $MyDomain.key | openssl md5
# openssl x509 -noout -dates -in $MyDomain.pem
# openssl x509 -in $MyDomain.pem -noout -pubkey
# openssl rsa -in $MyDomain.key -pubout
#https://www.sslshopper.com/article-most-common-openssl-commands.html
# openssl req -text -noout -verify -in $MyDomain.csr
# openssl x509 -in $MyDomain.crt -text -noout
#RESULT:
#B/ Import SSL CERT TO HAPROXY:
#/etc/haproxy/crtlist.txt
#LastUpdate: #15:11 2020.09.25
###################################
# #HTTPS:
# frontend FRONTEND_443
# http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
# http-response set-header X-Frame-Options SAMEORIGIN
# http-response set-header X-Content-Type-Options nosniff
# bind *:443 ssl crt-list /etc/haproxy/crtlist.txt
# mode http
# option httpclose
# option forwardfor
# reqadd X-Forwarded-Proto:\ https
###################################
#___________SSL_CERT:BEGIN
#15:11 2020.09.25
/etc/haproxy/certs/ha.stats.local.pem
#___________SSL_CERT:END
#----------------------------------#END
#THE-END
#FILE_NAME="haproxy_99_HAProxyStats_9999.tcp"
#LastUpdate: #8:23 2020.09.25
#################################
#REF:
#Setup HAProxy stats over HTTPS
#https://evancarmi.com/writing/setup-haproxy-stats-over-https/
#################################
##__________FRONTEND_[HAProxyStats]:BEGIN
listen BACKEND_HAProxyStats_9999
mode http
bind *:9999 ssl crt-list /etc/haproxy/crtlist.txt alpn h2,http/1.1
#bind *:9999
stats enable
#stats http-request
#stats hide-version
stats realm Haproxy\ Statistics
stats refresh 30s
#stats uri /haproxy?stats
stats uri /
stats auth a:b
redirect scheme https code 301 if !{ ssl_fc }
##__________FRONTEND_[HAProxyStats]:END
#THE-END
#URL:
http://10.0.1.105:9999/haproxy?stats: Not OK
https://10.0.1.105:9999/haproxy?stats: OK
No comments:
Post a Comment