๋ณธ๋ฌธ์œผ๋กœ ๊ฑด๋„ˆ๋›ฐ๊ธฐ
๊ฒฝ๊ณ 

์ด ํŠœํ† ๋ฆฌ์–ผ์€ ์ปค๋ฎค๋‹ˆํ‹ฐ ๊ธฐ์—ฌ๋กœ ์ œ๊ณต๋˜๋ฉฐ Open WebUI ํŒ€์—์„œ ์ง€์›ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ด๋Š” ํŠน์ • ์‚ฌ์šฉ ์‚ฌ๋ก€์— ๋งž๊ฒŒ Open WebUI๋ฅผ ์‚ฌ์šฉ์ž ์„ค์ •ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ๋ณด์—ฌ์ฃผ๊ธฐ๋งŒ ํ•ฉ๋‹ˆ๋‹ค. ๊ธฐ์—ฌํ•˜๊ณ  ์‹ถ์œผ์‹ ๊ฐ€์š”? ๊ธฐ์—ฌ ํŠœํ† ๋ฆฌ์–ผ์„ ํ™•์ธํ•ด๋ณด์„ธ์š”.

Open WebUI๋ฅผ ์œ„ํ•œ HAProxy ์„ค์ •

HAProxy (High Availability Proxy)๋Š” ์ „๋ฌธ์ ์ธ ๋กœ๋“œ ๋ฐธ๋Ÿฐ์‹ฑ ๋ฐ ๋ฆฌ๋ฒ„์Šค ํ”„๋ก์‹œ ์†”๋ฃจ์…˜์œผ๋กœ ๋†’์€ ์ˆ˜์ค€์˜ ์„ค์ • ๊ฐ€๋Šฅ์„ฑ๊ณผ ์ƒ๋Œ€์ ์œผ๋กœ ๋‚ฎ์€ ๋ฆฌ์†Œ์Šค ์†Œ๋ชจ๋Ÿ‰์œผ๋กœ ๋งŽ์€ ์—ฐ๊ฒฐ์„ ์ฒ˜๋ฆฌํ•˜๋„๋ก ์„ค๊ณ„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ ๋‹ค์Œ์„ ์ฐธ์กฐํ•˜์„ธ์š”: https://www.haproxy.org/

HAProxy์™€ Lets Encrypt ์„ค์น˜โ€‹

๋จผ์ € HAProxy์™€ Lets Encrypt์˜ certbot์„ ์„ค์น˜ํ•˜์„ธ์š”:

Redhat derivativesโ€‹

sudo dnf install haproxy certbot openssl -y

Debian derivativesโ€‹

sudo apt install haproxy certbot openssl -y

HAProxy ๊ธฐ๋ณธ ์„ค์ •โ€‹

HAProxy์˜ ์„ค์ •์€ ๊ธฐ๋ณธ์ ์œผ๋กœ /etc/haproxy/haproxy.cfg์— ์ €์žฅ๋ฉ๋‹ˆ๋‹ค. ์ด ํŒŒ์ผ์€ HAProxy์˜ ๋™์ž‘์„ ๊ฒฐ์ •ํ•˜๋Š” ๋ชจ๋“  ์„ค์ • ์ง€์‹œ์–ด๋ฅผ ํฌํ•จํ•ฉ๋‹ˆ๋‹ค.

Open WebUI์™€ ํ•จ๊ป˜ ์ž‘๋™ํ•˜๋„๋ก HAProxy์˜ ๊ธฐ๋ณธ ์„ค์ •์€ ๋งค์šฐ ๊ฐ„๋‹จํ•ฉ๋‹ˆ๋‹ค.

 #---------------------------------------------------------------------
# ์ „์—ญ ์„ค์ •
#---------------------------------------------------------------------
global
# ์ด๋Ÿฌํ•œ ๋ฉ”์‹œ์ง€๊ฐ€ /var/log/haproxy.log์— ๊ธฐ๋ก๋˜๋„๋ก ํ•˜๋ ค๋ฉด:
# 1) syslog๊ฐ€ ๋„คํŠธ์›Œํฌ ๋กœ๊ทธ ์ด๋ฒคํŠธ๋ฅผ ์ˆ˜์‹ ํ•˜๋„๋ก ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
# ์ด๋Š” /etc/sysconfig/syslog์˜ SYSLOGD_OPTIONS์— -r ์˜ต์…˜์„ ์ถ”๊ฐ€ํ•˜์—ฌ ์ˆ˜ํ–‰๋ฉ๋‹ˆ๋‹ค.
# 2) local2 ์ด๋ฒคํŠธ๊ฐ€ /var/log/haproxy.log ํŒŒ์ผ๋กœ ์ด๋™ํ•˜๋„๋ก ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
# /etc/sysconfig/syslog์— ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ผ์ธ์„ ์ถ”๊ฐ€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
# local2.* /var/log/haproxy.log
log 127.0.0.1 local2

chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

#dh-param ๊ฐ’ ์กฐ์ •(๋„ˆ๋ฌด ๋‚ฎ์€ ๊ฒฝ์šฐ)
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# listen ๋ฐ backend ์„น์…˜์ด ์„ค์ •๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ ์‚ฌ์šฉํ•  ์ผ๋ฐ˜ ๊ธฐ๋ณธ๊ฐ’
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor #except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 300s
timeout queue 2m
timeout connect 120s
timeout client 10m
timeout server 10m
timeout http-keep-alive 120s
timeout check 10s
maxconn 3000

#http
frontend web
#๋น„SSL
bind 0.0.0.0:80
#SSL/TLS
bind 0.0.0.0:443 ssl crt /path/to/ssl/folder/

#Lets Encrypt SSL
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl

#์„œ๋ธŒ๋„๋ฉ”์ธ ๋ฐฉ์‹
acl chat-acl hdr(host) -i subdomain.domain.tld
#๊ฒฝ๋กœ ๋ฐฉ์‹
acl chat-acl path_beg /owui/
use_backend owui_chat if chat-acl

#SSL ์š”์ฒญ์„ Lets Encrypt๋กœ ์ „๋‹ฌ
backend letsencrypt-backend
server letsencrypt 127.0.0.1:8688

#OWUI Chat
backend owui_chat
# X-FORWARDED-FOR ์ถ”๊ฐ€
option forwardfor
# X-CLIENT-IP ์ถ”๊ฐ€
http-request add-header X-CLIENT-IP %[src]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server chat <ip>:3000

์šฐ๋ฆฌ๋Š” Open WebUI์™€ Lets Encrypt๋ฅผ ์œ„ํ•œ ACL ๊ธฐ๋ก(๋ผ์šฐํ„ฐ)์„ ์„ค์ •ํ–ˆ์Šต๋‹ˆ๋‹ค. OWUI์—์„œ WebSocket์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด SSL์ด ๊ตฌ์„ฑ๋˜์–ด์•ผ ํ•˜๋ฉฐ, ๊ฐ€์žฅ ์‰ฌ์šด ๋ฐฉ๋ฒ•์€ Lets Encrypt๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

Open WebUI๋กœ ํŠธ๋ž˜ํ”ฝ์„ ๋ผ์šฐํŒ…ํ•˜๋Š” ๋ฐ์—๋Š” ์„œ๋ธŒ๋„๋ฉ”์ธ ๋ฐฉ์‹ ๋˜๋Š” ๊ฒฝ๋กœ ๋ฐฉ์‹์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์„œ๋ธŒ๋„๋ฉ”์ธ ๋ฐฉ์‹์€ ์ „์šฉ ์„œ๋ธŒ๋„๋ฉ”์ธ (์˜ˆ: chat.yourdomain.com)์ด ํ•„์š”ํ•˜๋ฉฐ, ๊ฒฝ๋กœ ๋ฐฉ์‹์€ ํŠน์ • ๋„๋ฉ”์ธ ๊ฒฝ๋กœ (์˜ˆ: yourdomain.com/owui/)๋ฅผ ํ†ตํ•ด Open WebUI์— ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•ฉ๋‹ˆ๋‹ค. ํ•„์š”์— ๋”ฐ๋ผ ์ ์ ˆํ•œ ๋ฐฉ๋ฒ•์„ ์„ ํƒํ•˜๊ณ  ์„ค์ •์„ ์—…๋ฐ์ดํŠธํ•˜์„ธ์š”.

์ •๋ณด

80๋ฒˆ ํฌํŠธ์™€ 443๋ฒˆ ํฌํŠธ๋ฅผ HAProxy ์„œ๋ฒ„๋กœ ๋…ธ์ถœ์‹œ์ผœ์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ด ํฌํŠธ๋Š” Lets Encrypt๊ฐ€ ๋„๋ฉ”์ธ์„ ์ธ์ฆํ•˜๊ณ  HTTPS ํŠธ๋ž˜ํ”ฝ์„ ์ฒ˜๋ฆฌํ•˜๋Š” ๋ฐ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ DNS ๊ธฐ๋ก์ด HAProxy ์„œ๋ฒ„๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋„๋ก ์˜ฌ๋ฐ”๋ฅด๊ฒŒ ์„ค์ •๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ™ˆ์—์„œ HAProxy๋ฅผ ์‹คํ–‰ํ•˜๋Š” ๊ฒฝ์šฐ, ๋ผ์šฐํ„ฐ์—์„œ 80๋ฒˆ ๋ฐ 443๋ฒˆ ํฌํŠธ๋ฅผ HAProxy ์„œ๋ฒ„๋กœ ํฌ์›Œ๋”ฉํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Lets Encrypt๋กœ SSL ์ธ์ฆ์„œ ๋ฐœ๊ธ‰โ€‹

HAProxy๋ฅผ ์‹œ์ž‘ํ•˜๊ธฐ ์ „์— Lets Encrypt๊ฐ€ ์ ํ•ฉํ•œ ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•  ๋•Œ๊นŒ์ง€ ์ž๋ฆฌ ํ‘œ์‹œ์ž๋กœ ์‚ฌ์šฉํ•  ์ž์ฒด ์„œ๋ช… ์ธ์ฆ์„œ๋ฅผ ์ƒ์„ฑํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ž์ฒด ์„œ๋ช… ์ธ์ฆ์„œ๋ฅผ ์ƒ์„ฑํ•˜๋Š” ๋ฐฉ๋ฒ•์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค:

openssl req -x509 -newkey rsa:2048 -keyout /tmp/haproxy.key -out /tmp/haproxy.crt -days 3650 -nodes -subj "/CN=localhost"

๊ทธ ๋‹ค์Œ, ํ‚ค์™€ ์ธ์ฆ์„œ๋ฅผ ๊ฒฐํ•ฉํ•˜์—ฌ HAProxy๊ฐ€ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” PEM ํŒŒ์ผ์„ ๋งŒ๋“œ์„ธ์š”:

cat /tmp/haproxy.crt /tmp/haproxy.key > /etc/haproxy/certs/haproxy.pem

์ •๋ณด

ํ•„์š”์™€ ๊ตฌ์„ฑ์— ๋”ฐ๋ผ HAProxy ๊ตฌ์„ฑ์„ ์—…๋ฐ์ดํŠธํ•˜๋Š” ๊ฒƒ์„ ์žŠ์ง€ ๋งˆ์„ธ์š”.

HAProxy ๊ตฌ์„ฑ์„ ์„ค์ •ํ•œ ํ›„์—๋Š” certbot์„ ์‚ฌ์šฉํ•˜์—ฌ SSL ์ธ์ฆ์„œ๋ฅผ ์–ป๊ณ  ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Certbot์€ Lets Encrypt์™€์˜ ๊ฒ€์ฆ ๊ณผ์ •์„ ์ฒ˜๋ฆฌํ•˜๊ณ  ์ž๋™ ๊ฐฑ์‹  ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ ์ธ์ฆ์„œ๊ฐ€ ๋งŒ๋ฃŒ๋˜๊ธฐ ์ „์— ์ž๋™์œผ๋กœ ๊ฐฑ์‹ ํ•ฉ๋‹ˆ๋‹ค.

haproxy -c -f /etc/haproxy/haproxy.cfg ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•˜์—ฌ HAProxy ๊ตฌ์„ฑ์„ ๊ฒ€์ฆํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ค๋ฅ˜๊ฐ€ ์—†์œผ๋ฉด systemctl start haproxy๋ฅผ ์‹คํ–‰ํ•˜์—ฌ HAProxy๋ฅผ ์‹œ์ž‘ํ•˜๊ณ  systemctl status haproxy๋กœ ์‹คํ–‰ ์ƒํƒœ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

HAProxy๊ฐ€ ์‹œ์Šคํ…œ๊ณผ ํ•จ๊ป˜ ์‹œ์ž‘๋˜๋„๋ก ํ•˜๋ ค๋ฉด systemctl enable haproxy๋ฅผ ์‹คํ–‰ํ•˜์„ธ์š”.

HAProxy๋ฅผ ๊ตฌ์„ฑํ•œ ํ›„, Lets Encrypt๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์œ ํšจํ•œ SSL ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰๋ฐ›์œผ์„ธ์š”. ๋จผ์ €, Lets Encrypt์— ๋“ฑ๋กํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ด ์ž‘์—…์€ ํ•œ ๋ฒˆ๋งŒ ์ˆ˜ํ–‰ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค:

certbot register --agree-tos --email [email protected] --non-interactive

๊ทธ๋‹ค์Œ, ์ธ์ฆ์„œ๋ฅผ ์š”์ฒญํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

certbot certonly -n --standalone --preferred-challenges http --http-01-port-8688 -d yourdomain.com

์ธ์ฆ์„œ๊ฐ€ ๋ฐœ๊ธ‰๋˜๋ฉด, ์ธ์ฆ์„œ์™€ ๊ฐœ์ธ ํ‚ค ํŒŒ์ผ์„ HAProxy๊ฐ€ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ํ•˜๋‚˜์˜ PEM ํŒŒ์ผ๋กœ ๋ณ‘ํ•ฉํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

cat /etc/letsencrypt/live/{domain}/fullchain.pem /etc/letsencrypt/live/{domain}/privkey.pem > /etc/haproxy/certs/{domain}.pem
chmod 600 /etc/haproxy/certs/{domain}.pem
chown haproxy:haproxy /etc/haproxy/certs/{domain}.pem

๊ทธ๋Ÿฐ ๋‹ค์Œ HAProxy๋ฅผ ์žฌ์‹œ์ž‘ํ•˜์—ฌ ์ƒˆ ์ธ์ฆ์„œ๋ฅผ ์ ์šฉํ•˜์„ธ์š”: systemctl restart haproxy

HAProxy ๊ด€๋ฆฌ์ž(๊ฐ„ํŽธ ๋ฐฐํฌ ์˜ต์…˜)โ€‹

HAProxy ๊ตฌ์„ฑ๊ณผ Lets Encrypt SSL์„ ์ž๋™์œผ๋กœ ๊ด€๋ฆฌํ•˜๋ ค๋ฉด, ์ œ๊ฐ€ ์ž‘์„ฑํ•œ ๊ฐ„๋‹จํ•œ ํŒŒ์ด์ฌ ์Šคํฌ๋ฆฝํŠธ์™€ ๋„์ปค ์ปจํ…Œ์ด๋„ˆ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด HAProxy ๊ตฌ์„ฑ์„ ์ƒ์„ฑ ๋ฐ ๊ด€๋ฆฌํ•˜๊ณ  Lets Encrypt ์ธ์ฆ์„œ ์ˆ˜๋ช… ์ฃผ๊ธฐ๋ฅผ ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

https://github.com/shadowdao/haproxy-manager

๊ฒฝ๊ณ 

์Šคํฌ๋ฆฝํŠธ ๋˜๋Š” ์ปจํ…Œ์ด๋„ˆ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ์—๋Š” ๋ฐ˜๋“œ์‹œ ํฌํŠธ 8000์„ ๊ณต์šฉ์œผ๋กœ ๋…ธ์ถœํ•˜์ง€ ๋งˆ์„ธ์š”!