• Haproxy ssl 配置方式


    通过haproxy redirect请求重定向的方法实现HTTP跳转HTTPS

    配置实现http跳转到https,采用redirect重定向的做法,只需在frontend端添加:

    frontend http-in
        bind *:80
        bind *:443 ssl crt /etc/haproxy/aaa.bbb.pem
        redirect scheme https if !{ ssl_fc }

    redirect scheme https if !{ ssl_fc } 表示所有http站点都会跳转到https,如果只针对某一站点或某一URL进行跳转的话:

    redirect scheme https if { hdr_beg(host) -i aaa.bbb.com } !{ ssl_fc }

    redirect scheme https if { hdr_reg(host) -i ^[a-zA-Z0-9_]+.aaa.bbb.com } !{ ssl_fc }

    当然了,也可以重定向也可以用在backend端:

    frontend  main *:80
        default_backend  app
    backend app
        balance  roundrobin
        server node1 127.0.0.1:81 check weight 3 redir http://www.baidu.cn

    将访问的站点重定向到www.baidu.com

    参考链接:http://blief.blog.51cto.com/6170059/1752669

                  http://www.cnblogs.com/ilanni/p/4941056.html

    ---------------------------------------------------------------------------------

    1、haproxy 本身提供ssl 证书,后面的web 服务器走正常的http 

    2、haproxy 本身只提供代理,后面的web服务器https

    第一种方式(推荐)

    需要编译haproxy 支持ssl,编译参数:   

    # yum install openssl-devel -y
    # wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
    # tar -zxvf haproxy-1.5-dev19.tar.gz ; cd haproxy-1.5-dev19
    # make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz # ldd haproxy | grep ssl libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fb0485e5000)
    # make install PREFIX=/usr/local/haproxy

    haproxy.cfg 配置:

    global
      maxconn 64000
      log 127.0.0.1 local0
      chroot /usr/share/haproxy
      uid 99
      gid 99
      daemon
      nbproc 4
      tune.ssl.default-dh-param 2048

    defaults
      log global
      mode http
      option dontlognull
      retries 3
      option redispatch
      option httpclose
      balance roundrobin
      option forwardfor if-none

      maxconn 64000
      timeout connect 5000
      timeout client 50000
      timeout server 50000

    frontend https_frontend
      bind *:443 ssl crt /etc/ssl/certs/servername.pem

       acl host_https_ihouse hdr_beg(host) -i ihouse.xxx.com
       use_backend yidongclient_server_https if host_https_ihouse

        default_backend web_server

    frontend http-in
      bind *:80
      log global
      option httplog
      option forwardfor

        acl host_manager_uhouse hdr_beg(host) -i manager.u.house.com
    use_backend manager_uhouse_server if host_manager_uhouse
    
    

    backend manager_uhouse_server
      balance source
      option httpchk HEAD /httpchk.jsp HTTP/1.1 Host: manager.u.house.com
      server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5
      server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5

    backend yidongclient_server_https
       balance roundrobin
       cookie SERVERID insert indirect nocache
       server s1 192.168.250.47:80 check cookie s1
       server s2 192.168.250.49:80 check cookie s2
    注意:这里的pem 文件是下面两个文件合并而成: # cat servername.crt servername.key
    |tee servername.pem

    按照如上规则如果多个站点就可以使用同样的规则 bind *:443  ssl  crt  $filepath  crt $file2path  crt $file3path

    通过以上配置可以看出来,frontend与其相对应的backend可以分开,但是其各自acl规则是不同的,必须放在自己所属的区域下面。

    第二种方式配置

    不需要重新编译支持ssl,简单方便。需要后面的web服务器配置好ssl 即可。

    frontend https_frontend
      bind *:443
      mode tcp
      default_backend web_server
    
    backend web_server
      mode tcp
      balance roundrobin
      stick-table type ip size 200k expire 30m
      stick on src
      server s1 192.168.250.47:443
      server s2 192.168.250.49:443
      
      注意,这种模式下mode 必须是tcp 模式,经测试 frontend 采用mode tcp时,只认可 default_backend 这一个后端,无法使用acl

    haproxy.cfg示例文件:

    global
            maxconn 64000
            log 127.0.0.1 local0
            uid 99
            gid 99
            daemon
    defaults
            log     global
            mode    http
            option  dontlognull
            retries 3
            option  redispatch
            option  httpclose
            balance roundrobin
            maxconn 64000
            timeout connect 5000
            timeout client 50000
            timeout server 50000
    frontend yidonghttps-in bind *:443 mode tcp default_backend yidongclient_server_https
    frontend http-in bind *:80 mode http log global option httplog option forwardfor
    acl host_manager_uhouse hdr_beg(host)
    -i manager.u.house.com use_backend manager_uhouse_server if host_manager_uhouse
    backend yidongclient_server_https
            mode tcp
            stick-table type ip size 200k expire 30m
            stick on src
            option ssl-hello-chk
            option httpchk OPTIONS * HTTP/1.1
    Host: ihouse.ifeng.com
            server yidonghttps_168 10.0.10.168:443
    backend manager_uhouse_server
            balance source
            option httpchk HEAD /httpchk.jsp HTTP/1.1
    Host: manager.u.house.com
            server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5
            server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5

     参考资料:https://www.trustasia.com/help/haproxy-ssl.htm

     

  • 相关阅读:
    Java map双括号初始化方式的问题
    Koa 中间件的执行
    JavaScript 实现页面中录音功能
    Koa 中实现 chunked 数据传输
    WebAssembly 上手
    TypeScript `infer` 关键字
    Vim 插件的安装
    MySQL EXPLAIN 语句
    面向切面编程(AOP)
    CSS 类名的问题
  • 原文地址:https://www.cnblogs.com/wjoyxt/p/6064440.html
Copyright © 2020-2023  润新知