Configure HAproxy load balancing, implement basic health checks

[RequestForCoffee]

Relates to #35.

Summary of changes:

• Install imovies.ch and www.imovies.ch to every hosts file, pointing to the ldservers (internal network machines use the internal net IP range (10.0.0.*) while the clients use the public net (172.16.0.*). This should take care of DNS-level redundancy by adding multiple entries if multiple ldservers are present.
• Add imovies.ch and www.imovies.ch to the SAN fields of the TLS certificates
• Implement a CoreCA health check endpoint triggering checks on its ability to access the required DB(s)
• Implement a WebServer health check endpoint triggering checks on its DB access and CoreCA's health check response
• Configure HAproxy on ldservers to perform TCP-layer load balancing across webservers with sticky sessions and health checking

Remaining work:

1. Test (and troubleshoot as necessary) a two-chain setup with duplicate boxes
2. Configure a multi-peer HAproxy solution to synchronize session stick tables across aslld01 and aslld02+ so that in the event of a load balancer going down, the associated sessions are not interrupted

[RequestForCoffee]

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ explains that the ciphersuites is apparently already "hardened".

[Miro-H]

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ explains that the ciphersuites is apparently already "hardened".

Yeah, but he focuses quite much on backwards compatibility. Additionally, despite the authors promise to update his blog regularly, the last one was over a year ago. The ciphers on the very bottom, in the section "I only care about web browsers released in the past five years." is more what I'd imagined:

global
   ssl-default-bind-options force-tlsv12 prefer-client-ciphers
   ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

   ssl-default-server-options force-tlsv12
   ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

[keyctl]

I merged this with the current master, but it gives me a PR_END_OF_FILE_ERROR. @RequestForCoffee Have you experienced this before?

[keyctl]

Okay, I think I made a mistake during merge. Somehow the CrlDistributionPoint was renamed somewhere. @RequestForCoffee Please confirm, that the current branch is semantically as it should be. a40712d resolved my issue described before.

[RequestForCoffee]

@keyctl Yes, a40712d is semantically correct - CrlDistributionPoint is now constant (under imovies.ch) and no longer a format string. Should be good to merge?

[RequestForCoffee]

@Miro-H do you want to take a look or should I merge this?