Configure Wildcard SSL to Google Compute Engine with Google Cloud DNS + HAProxy + Docker
Hi everyone! With me again and again to share some experience, though or opinion about technology related with software engineering field. On previous story, we learn about configuring domain and subdomain to Google Compute Engine with Google Cloud DNS. Both of the story can be found here: https://medium.com/@bismobaruno/4832900e353b and https://medium.com/@bismobaruno/1cb956c6a542
We also successfully configure Wildcard SSL with Amazon EC2 + NGINX + Docker: https://medium.com/@bismobaruno/a33e657d8149
Today, we will try to configure the same output but in Google environment using HAProxy as load balancer, and of course, still using Docker!
The explanation about SSL, what and why we use SSL already explained on the configure Wildcard SSL story that I mentioned before. So in this part, we can jump directly into the technical side.
1. Setup Docker Compose
Following the installation from official Docker web https://docs.docker.com/compose/install/#install-compose
Download the current stable release of Docker Compose:
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
Apply executable permissions to the binary:
sudo chmod +x /usr/local/bin/docker-compose
2. Create SSL Certificate
We will using https://www.sslforfree.com/ for getting the free SSL certificate. Visit the page and put our domain, also the wildcard for subdomain into the form. Next, click Create Free SSL Certificate button for continue the process.
Use Manually verify domain since we just have one option when we want implement Wildcard SSL.
We will get some information TXT record and need to input the new record data on our DNS server.
Go to GCP console https://console.cloud.google.com/ and choose Cloud DNS submenu from Network services menu.
Choose the Zone that we want to add the record.
Click Add record set button.
Fill the information based on https://www.sslforfree.com/ for the example:
- DNS Name: _acme-challenge
- Resource Record Type: TXT with TTL 1 second
- TXT data: two value data from sslforfree.com
Click Create button for save the data.
Back to https://www.sslforfree.com/ and we can do a verification before download the certificate.
Result of verification (if we have no issue)
Result of download SSL certificate. Click Download All SSL Certificate Files because we need it to setup the SSL on the server.
3. Configure SSL Certificate
Now, it’s time for configure the certificate to HAProxy. We will setup the incoming request can be served over HTTPS / 443 port.
Extract our downloaded certificates on previous step. We will have 3 certificates as follows:
Because we need .pem file for configure the SSL to HAProxy, first we should bundle all certificatse into .pem extension.
We can do it manual and make sure the certificate structure will be like this:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Or using command:
echo "$(cat certificate.crt)" >> practice-gcp.site.pem
echo "$(cat ca_bundle.crt)" >> practice-gcp.site.pem
echo "$(cat private.key)" >> practice-gcp.site.pem
Copy the certificate into server. Let say we will put it on
haproxy directory under
gcloud compute scp practice-gcp.site.pem instance-1:/home/momo/haproxy
Modify HAProxy config file. We added some line and the final config will be like this:
Create docker-compose.yml file because we will switch into docker compose for running the service:
We need stop the HAProxy current service, and re-run using docker compose. First find the container id user docker ps:
Stop the container with docker stop command:
docker stop [CONTAINER ID]
Run the service by docker-compose command:
docker-compose up -d
4. Setup Firewall Rules
Go to GCP console https://console.cloud.google.com/ and choose Firewall rules submenu from VPC network menu.
Create new rule by clicking CREATE FIREWALL RULE button.
Fill the information for the rule, we just modify Name, Target tags, Source IP ranges, tcp ports and leave the rest by default. Next, click CREATE button for save the rule.
After we done with all step, we can testing our SSL is working fine. Just open our domain and subdomain through web browser with HTTPS protocol.
Yeeaaay!! It’s works!! We have valid certificate for both!
Hope you enjoy it, I’m happy if this article useful for you! Happy Pointing!