4、haproxy https实现
4、haproxy https实现
4.1 证书制作
[root@centos7 ~]mkdir /etc/haproxy/certs/
[root@centos7 ~]cd /etc/haproxy/certs/
[root@centos7 certs]#openssl genrsa -out haproxy.key 2048
[root@centos7 certs]#openssl req -new -x509 -key haproxy.key -out haproxy.crt
-subj "/CN=www.magedu.org"
[root@centos7 certs]#cat haproxy.key haproxy.crt > haproxy.pem
[root@centos7 certs]#openssl x509 -in haproxy.pem -noout -text #查看证书
[root@centos7 certs]# ls
haproxy.crt haproxy.key haproxy.pem
4.2 https配置示例
frontend magedu_httpd_port
bind 10.0.0.7:80
######################https setting###########################################
bind 10.0.0.7:443 ssl crt /etc/haproxy/certs/haproxy.pem
redirect scheme https if !{ ssl_fc }
http-request set-header X-forwarded-Port %[dst_port]
http-request add-header X-forwarded-Proto https if { ssl_fc }
#http-request set-header X-forwarded-Port %[dst_port]
#httpd-request add-header X-forwarded-Proto https if { ssl_fc }
mode http
balance roundrobin
log global
option httplog
####################act setting###############################################
acl mobile_domain hdr_dom(host) -i mobile.magedu.org
#####################act hosts################################################
default_backend pc_hosts
###################### backend hosts #########################################
backend mobile_hosts
mode http
server web1 10.0.0.17 check inter 2000 fall 3 rise 5
backend pc_hosts
mode http
server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5
[root@centos7 certs]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 127.0.0.1:6010 *:*
LISTEN 0 128 10.0.0.7:443 *:*
LISTEN 0 128 127.0.0.1:6011 *:*
LISTEN 0 128 127.0.0.1:6012 *:*
LISTEN 0 128 *:9999 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 10.0.0.7:80 *:*
LISTEN 0 128 10.0.0.7:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::1]:631 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
4.3修改后端web(apache)服务器的日志格式
[root@centos27 ~]#vim /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{XForwarded-Port}i\" \"%{X-Forwarded-Proto}i\"" combined
4.4验证https
[root@CentOS6 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.7 www.magedu.org
[root@CentOS6 ~]# curl -IkL http://www.magedu.org
HTTP/1.1 302 Found
content-length: 0
location: https://www.magedu.org/
cache-control: no-cache
HTTP/1.1 200 OK
date: Fri, 19 Aug 2022 10:42:49 GMT
server: Apache/2.4.6 (CentOS)
last-modified: Fri, 19 Aug 2022 10:37:32 GMT
etag: "9-5e695af7fbb71"
accept-ranges: bytes
content-length: 9
content-type: text/html; charset=UTF-8
[root@CentOS6 ~]# curl -Ik https://www.magedu.org
HTTP/1.1 200 OK
date: Fri, 19 Aug 2022 10:44:22 GMT
server: Apache/2.4.6 (CentOS)
last-modified: Fri, 19 Aug 2022 10:37:32 GMT
etag: "9-5e695af7fbb71"
accept-ranges: bytes
content-length: 9
content-type: text/html; charset=UTF-8
查看后端服务器的访问日志
[root@centos7 html]# tail /var/log/httpd/access_log
10.0.0.7 - - [19/Aug/2022:18:42:49 +0800] "HEAD / HTTP/1.1" 200 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-" "https"
10.0.0.7 - - [19/Aug/2022:18:44:22 +0800] "HEAD / HTTP/1.1" 200 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-" "https"
