haproxy https实现
一、实验环境
一、准备后端服务器
# yum -y install nginx
# echo "10.0.0.7" > /usr/share/nginx/html/index.html #web1
# echo "10.0.0.17" > /usr/share/nginx/html/index.html #web2
# systemctl restart nginx
二、准备CA证书
实现自签名CA证书,请参考章节:实现https
合并证书文件
cat demo.key demo.crt > demo.pem
mv demo.pem /etc/haproxy/certs/haproxy.pem
三、配置haproxy
# yum -y install haproxy
# cat /etc/haproxy/haproxy.cfg |grep -v "^#"
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend http_port
bind 10.0.0.8:80
bind 10.0.0.8:443 ssl crt /etc/haproxy/certs/haproxy.pem #实现CA
redirect scheme https if !{ ssl_fc } #实现https跳转
balance roundrobin
default_backend web_hosts
backend web_hosts
balance roundrobin
server web1 10.0.0.7:80 check inter 2000 fall 3 rise 5
server web2 10.0.0.17:80 check inter 2000 fall 3 rise 5
#重启haproxy服务
# systemctl restart haproxy
四、访问测试
[root@7-2 ~]#while :;do curl https://10.0.0.8 -k;sleep 0.5;done
10.0.0.17
10.0.0.7
10.0.0.17
10.0.0.7
10.0.0.17
10.0.0.7
....
在Windows客户端访问10.0.0.8,实现了自动跳转https