HAProxy-开启SSL认证
参考文章:https://www.zhiboblog.com/1664.html,请移步原创查看,此文章仅作备份使用,如有侵权,联系我删除,谢谢~
单域名配置文件如下
global daemon log 127.0.0.1 local6 maxconn 65535 chroot /usr/local/haproxy pidfile /var/run/haproxy.pid tune.ssl.default-dh-param 2048 defaults mode http option httplog option forwardfor log global option http-server-close timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 65535 frontend web_in bind *:80 bind *:443 ssl crt /usr/local/haproxy/etc/ssl.pem redirect scheme https if !{ ssl_fc } acl is_web hdr_beg(host) -i www.zhiboblog.com use_backend web_servers if is_web backend web_servers balance roundrobin #balance source server server1 45.32.75.138:80 check inter 2000 rise 2 fall 3 server server2 149.28.91.22:80 check inter 2000 rise 2 fall 3
语法介绍
//所有http站点都会跳转到https redirect scheme https if !{ ssl_fc } //只针对www.zhiboblog.com进行跳转 redirect scheme https if { hdr_beg(host) -i www.zhiboblog.com } !{ ssl_fc } //只针对zhiboblog.com所有子域名跳转 redirect scheme https if { hdr_reg(host) -i ^[a-zA-Z0-9_]+.zhiboblog.com } !{ ssl_fc } //只针对zhiboblog.com主域名及其所有子域名跳转 redirect scheme https if { hdr_end(host) -i zhiboblog.com } !{ ssl_fc }
haproxy配置多站点ssl
global daemon log 127.0.0.1 local6 maxconn 65535 chroot /usr/local/haproxy pidfile /var/run/haproxy.pid tune.ssl.default-dh-param 2048 defaults mode http option httplog option forwardfor log global option http-server-close timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 65535 frontend web_in bind *:80 #配置多个站点ssl,只需要在下面这行后面加"crt 证书路径",有几个加几个 bind *:443 ssl crt /usr/local/haproxy/etc/www.a.com.pem crt /usr/local/haproxy/etc/www.b.com.pem #需要强制跳转https的域名,如果不需要强制跳转可以注释掉下面这两行 acl ssl hdr_reg(host) -i ^(www.a.com|www.b.com)$ redirect scheme https code 301 if !{ ssl_fc } ssl acl is_sitea hdr_beg(host) -i www.a.com use_backend sitea_servers if is_sitea acl is_siteb hdr_beg(host) -i www.b.com use_backend siteb_servers if is_siteb acl is_sitec hdr_beg(host) -i www.c.com use_backend sitec_servers if is_sitec #在没有匹配到的情况下,默认转发到default_servers这个后端服务池 default_backend default_servers backend default_servers balance roundrobin #balance source server server1 192.168.245.1:80 check inter 2000 rise 2 fall 3 server server2 192.168.245.2:80 check inter 2000 rise 2 fall 3 backend sitea_servers balance roundrobin #balance source server server1 192.168.245.1:80 check inter 2000 rise 2 fall 3 server server2 192.168.245.2:80 check inter 2000 rise 2 fall 3 backend siteb_servers balance roundrobin #balance source server server3 192.168.245.3:80 check inter 2000 rise 2 fall 3 server server4 192.168.245.4:80 check inter 2000 rise 2 fall 3 backend sitec_servers balance roundrobin #balance source server server5 192.168.245.5:80 check inter 2000 rise 2 fall 3 server server6 192.168.245.6:80 check inter 2000 rise 2 fall 3
如果要匹配泛域名,如:*.zhiboblog.com,该怎么匹配呢?
可以用hdr_end(host) -i zhiboblog.com来匹配,之前我们匹配域名都是用的hdr_beg,hdr_beg是从域名开头开始匹配,hdr_end是从域名结尾开始匹配。
acl is_zhiboblog hdr_end(host) -i zhiboblog.com
生成私钥和证书一块的文件haproxy.pem文件
openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/haproxy/www.a.com.pem -out /etc/haproxy/www.a.com.pem -days 365 openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/haproxy/www.b.com.pem -out /etc/haproxy/www.b.com.pem -days 365
配置文件
global daemon log 127.0.0.1 local6 maxconn 65535 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid tune.ssl.default-dh-param 2048 defaults mode http option httplog option forwardfor log global option http-server-close timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 65535 frontend web_in bind *:80 #配置多个站点ssl,只需要在下面这行后面加"crt 证书路径",有几个加几个 bind *:443 ssl crt /etc/haproxy/www.a.com.pem crt /etc/haproxy/www.b.com.pem #需要强制跳转https的域名,如果不需要强制跳转可以注释掉下面这两行 acl ssl hdr_reg(host) -i ^(www.a.com|www.b.com)$ redirect scheme https code 301 if !{ ssl_fc } ssl acl is_sitea hdr_beg(host) -i www.a.com use_backend sitea_servers if is_sitea acl is_siteb hdr_beg(host) -i www.b.com use_backend siteb_servers if is_siteb #在没有匹配到的情况下,默认转发到default_servers这个后端服务池 default_backend default_servers backend default_servers balance roundrobin server server 124.222.68.xx:80 check inter 2000 rise 2 fall 3 backend sitea_servers balance roundrobin server server 192.168.64.113:80 check inter 2000 rise 2 fall 3 backend siteb_servers balance roundrobin server server 192.168.64.114:80 check inter 2000 rise 2 fall 3
测试效果
直接访问代理,匹配到default
访问www.a.com
访问www.b.com
越学越感到自己的无知
