haproxy配置基于ssl证书的https负载均衡
本实验全部在haproxy1.5.19版本进行测试通过,经过测试1.7.X及haproxy1.3版本以下haproxy配置参数可能不适用,需要注意版本号。
一、业务要求
现在根据业务的实际需要,有以下几种不同的需求。如下:
1.1 http跳转https
把所有请求http://www.chinasoft.com的地址全部跳转为https//:www.chinasoft.com这个地址
1.2 http与https并存
服务器同时开放http://www.chinasoft.com和https://www.chinasoft.com的访问形式
1.3 服务器环境准备
node1即haproxy所在服务器的处理
安装依赖
yum install -y openssl openssl-devel readline-devel pcre-devel libssl-dev libpcre3
# 下载安装包,
tar zxf haproxy-1.5.19.tar.gz
cd haproxy-1.5.19
useradd -u 188 -r -d /var/lib/haproxy -s /sbin/nologin haproxy
# 加入支持ssl的编译参数
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1 make install PREFIX=/usr/local/haproxy cp /usr/local/haproxy/sbin/haproxy /usr/sbin/ cp examples/haproxy.init /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy
mkdir /etc/haproxy
mkdir /var/lib/haproxy
# 修改启动脚本(可能会报错)为如下
vim /etc/init.d/haproxy
26 [[ ${NETWORKING} = "no" ]] && exit 0
后端web01(192.168.3.200)服务器apache配置,需要配置虚拟主机域名为:www.chinasoft.com否则无法正常处理
[root@node2 ~]# egrep -v '#|^$' /etc/httpd/conf/httpd.conf ServerRoot "/etc/httpd" Listen 8080 Include conf.modules.d/*.conf User apache Group apache ServerAdmin root@localhost <Directory /> Options FollowSymLinks AllowOverride none Allow from all </Directory> DocumentRoot "/var/www/html/chinasoft" <Directory "/var/www"> AllowOverride None Require all granted </Directory> <Directory "/var/www/html/chinasoft"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" </IfModule> <Directory "/var/www/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule mime_module> TypesConfig /etc/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml </IfModule> AddDefaultCharset UTF-8 <IfModule mime_magic_module> MIMEMagicFile conf/magic </IfModule> EnableSendfile on IncludeOptional conf.d/*.conf [root@node2 ~]# cat /etc/httpd/conf.d/vhost.conf NameVirtualHost *:8080 <VirtualHost *:8080> DocumentRoot /var/www/html/ ServerName 192.168.3.200:8080 </VirtualHost> <Directory "/var/www/html/chinasoft/"> php_admin_value open_basedir "/var/www/html/chinasoft/:/tmp/" Options Includes ExecCGI FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory> <VirtualHost *:8080> DocumentRoot /var/www/html/chinasoft/ ServerName www.chinasoft.com:8080 </VirtualHost>
1.4 证书的处理,需要将网站的根证书和key简单的合并在一起:
cat chinasoft.com.pem chinasoft.com.key | tee chinasoft.pem
否则会报错
'bind *:443' : unable to load SSL private key from PEM file
1.5 域名的指向及处理
将www.chinasoft.com指向haproxy负载均衡器所在的服务器IP地址,此处是192.168.3.198
二、配置haproxy并测试业务需求
现在我们根据业务的需求,我们来配置haproxy一一达到其需求。
2.1 http跳转https配置
http跳转https的haproxy配置文件内容,如下:
[root@node1 haproxy]# cat /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local3 info
chroot /var/lib/haproxy
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
stats timeout 2m
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.1
option redispatch
retries 3
option redispatch
maxconn 2000
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
listen admin_stats
bind 0.0.0.0:1080
mode http
option httplog
maxconn 10
stats refresh 30s
stats uri /haproxy?stats
stats auth admin:admin
stats hide-version
frontend weblb
bind *:80
acl is_http hdr_beg(host) www.chinasoft.com
redirect scheme https if !{ ssl_fc }
bind *:443 ssl crt /etc/haproxy/chinasoft.pem
use_backend httpserver if is_http
backend httpserver
balance source
server web1 192.168.3.200:8080 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
# 配置好之后先检查语法是否正确
[root@node1 haproxy]# /etc/init.d/haproxy check
Configuration file is valid
在以上配置文件中,需要注意的选项如下:
tune.ssl.default-dh-param 2048因为我们的SSL密钥使用的是2048bit加密,所以在此进行声明。
acl is_http hdr_beg(host) www.chinasoft.com
redirect scheme https if !{ ssl_fc }
bind *:443 ssl crt /etc/haproxy/chinasoft.pem
这三行表示把所有访问www.chinasoft.com这个域名的请求,全部转发到https://www.chinasoft.com这个连接
管理页面
2.2 测试http跳转https
http跳转https配置完毕后,我们选择来测试其跳转。如下:
你会发现在浏览器中,无论你输入的是www.chinasoft.com,还是http://www.chinasoft.com亦或是https://www.chinasoft.com,都会自动跳转到https://www.chinasoft.com。
这样就达到了,把所有的http请求跳转到https的目的。
2.3 http与https并存配置
haproxy要实现http和https并存的话,配置也很简单,只需要把haproxy分别监控不同的端口就行,配置文件如下:
[root@node1 haproxy]# cat haproxy.cfg
global
log 127.0.0.1 local3 info
chroot /var/lib/haproxy
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
stats timeout 2m
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
retries 3
option redispatch
maxconn 2000
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
listen admin_stats
bind 0.0.0.0:1080
mode http
option httplog
maxconn 10
stats refresh 30s
stats uri /haproxy?stats
stats auth admin:admin
stats hide-version
frontend weblb
bind *:80
acl is_http hdr_beg(host) www.chinasoft.com
use_backend httpserver if is_http
backend httpserver
balance source
server web1 192.168.3.200:8080 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
frontend weblb443
bind *:443 ssl crt /etc/haproxy/chinasoft.pem
acl is_443 hdr_beg(host) www.chinasoft.com
use_backend httpserver443 if is_443
backend httpserver443
balance source
server web1 192.168.3.200:8080 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
在以上配置文件中,我们定义了两个前端,一个前端用于监听80端口,也就是http协议。另外一个前端监听443端口,也就是https协议。
此时haproxy会根据客户端请求的协议进行分发,如果发现客户端请求的是http协议,则把该请求分发到监听80端口的前端。如果发现客户端请求的是https协议,则把该请求分发到监听443端口的前端。如此就达到了haproxy让http和https并存的要求。
2.4 测试http与https并存
http与https并存配置完毕后,我们选择来测试其跳转。如下:
通过测试你会发现,在浏览器中如果你输入的是http://www.chinasoft.com或者是www.chinasoft.com都会直接跳转到http://www.chinasoft.com,而输入的是https://www.chinasoft.com,则只会跳转到https://www.chinasoft.com。
如此就到达了,我们业务的要求实现http和https并存。
生产环境配置实例:
[root@u05mix05 ~]# cat /etc/haproxy/haproxy.cfg global log 127.0.0.1 local3 info chroot /var/lib/haproxy maxconn 20480 user haproxy group haproxy daemon stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin stats timeout 2m defaults log global mode http option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.1 option redispatch retries 3 option redispatch maxconn 20000 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s listen admin_stats bind 0.0.0.0:6080 mode http option httplog maxconn 10 stats refresh 30s stats uri /haproxy?stats stats auth admin:admin stats hide-version frontend hs_chinasoft_com mode http bind *:9735 stats uri /haproxy?stats default_backend hs_chinasoft_com_backend backend hs_chinasoft_com_backend option forwardfor header X-REAL-IP option httpchk GET /check balance roundrobin server node1 1.1.1.1:9735 check inter 10000 rise 3 fall 3 weight 1 frontend hs_chinasoft_info mode http bind *:9800 stats uri /haproxy?stats default_backend hs_chinasoft_info_backend backend hs_chinasoft_info_backend option forwardfor header X-REAL-IP option httpchk GET /check balance roundrobin server node1 1.1.1.1:9800 check inter 15000 rise 3 fall 3 weight 1 server node2 1.1.1.2:9800 check inter 15000 rise 3 fall 3 weight 1