云上的天涯

导航

Haproxy ssl 配置方式

通过haproxy redirect请求重定向的方法实现HTTP跳转HTTPS

配置实现http跳转到https,采用redirect重定向的做法,只需在frontend端添加:

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/haproxy/aaa.bbb.pem
    redirect scheme https if !{ ssl_fc }

redirect scheme https if !{ ssl_fc } 表示所有http站点都会跳转到https,如果只针对某一站点或某一URL进行跳转的话:

redirect scheme https if { hdr_beg(host) -i aaa.bbb.com } !{ ssl_fc }

redirect scheme https if { hdr_reg(host) -i ^[a-zA-Z0-9_]+.aaa.bbb.com } !{ ssl_fc }

 

当然了,也可以重定向也可以用在backend端:

frontend  main *:80
    default_backend  app
backend app
    balance  roundrobin
    server node1 127.0.0.1:81 check weight 3 redir http://www.baidu.cn

将访问的站点重定向到www.baidu.com

 

参考链接:http://blief.blog.51cto.com/6170059/1752669

              http://www.cnblogs.com/ilanni/p/4941056.html

---------------------------------------------------------------------------------

1、haproxy 本身提供ssl 证书,后面的web 服务器走正常的http 

2、haproxy 本身只提供代理,后面的web服务器https

第一种方式(推荐)

需要编译haproxy 支持ssl,编译参数:   

# yum install openssl-devel -y
# wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
# tar -zxvf haproxy-1.5-dev19.tar.gz ; cd haproxy-1.5-dev19
# make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz
# ldd haproxy | grep ssl
  libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fb0485e5000)
# make install PREFIX=/usr/local/haproxy

haproxy.cfg 配置:

复制代码

global
  maxconn 64000
  log 127.0.0.1 local0
  chroot /usr/share/haproxy
  uid 99
  gid 99
  daemon
  nbproc 4
  tune.ssl.default-dh-param 2048

defaults
  log global
  mode http
  option dontlognull
  retries 3
  option redispatch
  option httpclose
  balance roundrobin
  option forwardfor if-none

  maxconn 64000
  timeout connect 5000
  timeout client 50000
  timeout server 50000

frontend https_frontend
  bind *:443 ssl crt /etc/ssl/certs/servername.pem

   acl host_https_ihouse hdr_beg(host) -i ihouse.xxx.com
   use_backend yidongclient_server_https if host_https_ihouse

    default_backend web_server

frontend http-in
  bind *:80
  log global
  option httplog
  option forwardfor

    acl host_manager_uhouse hdr_beg(host) -i manager.u.house.com
    use_backend manager_uhouse_server if host_manager_uhouse


backend manager_uhouse_server
  balance source
  option httpchk HEAD /httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com
  server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5
  server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5


backend yidongclient_server_https

   balance roundrobin
   cookie SERVERID insert indirect nocache
   server s1 192.168.250.47:80 check cookie s1
   server s2 192.168.250.49:80 check cookie s2

  注意:这里的pem 文件是下面两个文件合并而成:
  # cat servername.crt servername.key |tee servername.pem


复制代码




按照如上规则如果多个站点就可以使用同样的规则 bind *:443  ssl  crt  $filepath  crt $file2path  crt $file3path


通过以上配置可以看出来,frontend与其相对应的backend可以分开,但是其各自acl规则是不同的,必须放在自己所属的区域下面。


第二种方式配置


不需要重新编译支持ssl,简单方便。需要后面的web服务器配置好ssl 即可。




复制代码


frontend https_frontend
  bind *:443
  mode tcp
  default_backend web_server

backend web_server
  mode tcp
  balance roundrobin
  stick-table type ip size 200k expire 30m
  stick on src
  server s1 192.168.250.47:443
  server s2 192.168.250.49:443
  
  注意,这种模式下mode 必须是tcp 模式,经测试 frontend 采用mode tcp时,只认可 default_backend 这一个后端,无法使用acl


复制代码




 


haproxy.cfg示例文件:




复制代码


global
        maxconn 64000
        log 127.0.0.1 local0
        uid 99
        gid 99
        daemon
defaults
        log     global
        mode    http
        option  dontlognull
        retries 3
        option  redispatch
        option  httpclose
        balance roundrobin
        maxconn 64000
        timeout connect 5000
        timeout client 50000
        timeout server 50000

frontend yidonghttps-in
         bind *:443 
         mode tcp
         default_backend yidongclient_server_https

frontend http-in
        bind *:80
        mode http
        log global
        option httplog
        option forwardfor
       
        acl host_manager_uhouse hdr_beg(host) -i manager.u.house.com
        use_backend manager_uhouse_server if host_manager_uhouse


backend yidongclient_server_https
        mode tcp
        stick-table type ip size 200k expire 30m
        stick on src
        option ssl-hello-chk
        option httpchk OPTIONS * HTTP/1.1\r\nHost:\ ihouse.ifeng.com
        server yidonghttps_168 10.0.10.168:443


backend manager_uhouse_server
        balance source
        option httpchk HEAD /httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com
        server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5
        server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5


复制代码




 


 参考资料:https://www.trustasia.com/help/haproxy-ssl.htm






		

			posted on 
2018-09-26 14:46 
云上的天涯 
阅读(1301) 
评论(0编辑 
收藏 
举报