Setting up Rancher Proxy to enforce HTTPS without interrupting Let's encrypt cert renewals

Feb 9, 2018

devops, docker, rancher, haproxy

One of the things I love most about Rancher 1.6 is how easy it makes the use of Let’s encrypt certificates via Let’s encrypt manager for Rancher.

My setup

This is an example of my balancer rules:

Priority Protocol Request Host Port Path
1 HTTP bithavoc.io 80 ./well-known/acme-challenge
2 HTTP bithavoc.io 80 /
3 HTTPS bithavoc.io 443 /

It’s mandatory to have ./well-known/acme-challenge at the highest priority for the domain so the cert renewals work properly.

The problem

Of course that I want enforce https in my domain so I copy and pasted the following haproxy rule from Stackoverflow:

frontend 80

redirect scheme https if { hdr(Host) -i bithavoc.io } !{ ssl_fc }

It works well until the agent tries to renew a certificate and the existing certificate already expired, Let’s encrypt HTTP client will follow up the redirection but the TLS challenge will fail and the renewal fails.

The solution

The solution is surprisingly easy with haproxy using a combination of ACL’s and Conditions so we don’t enforce http redirectiong for requests where paths begin with /.well-known.

frontend 80
mode http

acl u_is_lets_encrypt_challenge    path_beg   /.well-known

redirect scheme https if { hdr(Host) -i bithavoc.io } !{ ssl_fc } !u_is_lets_encrypt_challenge