EBW serves the site through an HAProxy proxy server. This enables HAProxy metrics, the serving of other websites on the same server if desired, and the enabling of various http/s best-practices (timeouts, server and client limits) that can be implemented at the proxy layer, rather than being coded in the Go server.
The default HAProxy setup is configured through the Ansible scripts, particularly the
haproxy role. In
tools/ansible/roles/haproxy/tasks/main.yml the installation is defined. It might be instructive to look through that role definition file through this discussion:
certbotfrom Ubuntu repos and the Let’s Encrypt repo.
copy-haproxy-lua-scriptinstall the acme-validation plugin for HAProxy from
https://github.com/janeczku/haproxy-acme-validation-plugin.git. This plugin allows HAProxy to handle certbot signature validation requests without interrupting HAProxy.
stop-haproxy-systemddisables HAProxy, and
get-certificatefetches a certificate for the server’s fqdn, using the certbot standalone server (this because we’ve not yet fully configured HAProxy).
merge-certificatemerges the certbot acquired certificates into a format required by HAProxy.
configure-haproxydoes the configuration of HAProxy, and notifies Ansible that HAProxy should be restarted (this will occur at the end of the installation).
cron-letsencryptconfigures the Let’s Encrypt certificate renewal, using the script received from the lua plugin repo.
HAProxy is configured from the template
tools/ansible/roles/haproxy/templates/haproxy.cfg.j2. The file is largely self-explanatory, while a few inlined comments describe particular configurations.