I switched job recently and in my new position it’s unlikely that I can use AWS. To prevent a cold turkey from the AWS environment, I moved my personal website and blog (with < 2 visitors a month, myself included) to AWS. This allows me to further play around with BOTO3 and the tools AWS provides for somewhere around 20 euro’s a month. Hooray for the t2.nano instances. I am completely over-engineering the setup with docker, haproxy, nginx workers, jekyll and ansible. Getting it all to work smoothly is fun and it ensures me that I am not loosing my AWS-Mojo.
Encrypt all the things!
As a long time user and supporter of PGP, I strongly encourage everyone to use encryption by default. Thanks to the Let’s Encrypt project, everyone now has the opportunity to (and in my humble opinion: should) enable HTTPS on webservers without any additional costs for buying a valid certificate or the downsides of self-signed certificates.
Request the certificate
Using the docker container provided by Let’s encrypt and having port 443 available this is literally a two second job:
The certificates are stored in /etc/letsencrypt, so you have to load this directory into your docker container. But before you can use the certificate, you will have to combine the key and certificate in a single .pem file.
The following script does this:
I use ansible to start docker containers, so the corresponding docker container stanza looks like:
The Haproxy configuration looks like:
On port 80 all incoming requests which don’t use https are redirected to port 443. And requests without www. are redirected to www.gargleblaster.org.
Finally, you also need to instruct HAProxy to use the correct ciphers (for this moment, speaking about fast moving targets) by setting global options to:
I use a custom rolled HAProxy container, where I have included the lua plugin which allows an easy method of handling the incoming acme requests needed for requesting and/or renewing certificates.