Haproxy ssl 配置方式
通过haproxy redirect请求重定向的方法实现HTTP跳转HTTPS
配置实现http跳转到https,采用redirect重定向的做法,只需在frontend端添加:
frontend http-in bind *:80 bind *:443 ssl crt /etc/haproxy/aaa.bbb.pem redirect scheme https if !{ ssl_fc }
redirect scheme https
if
!{ ssl_fc } 表示所有http站点都会跳转到https,如果只针对某一站点或某一URL进行跳转的话:
redirect scheme https if { hdr_beg(host) -i aaa.bbb.com } !{ ssl_fc }
redirect scheme https if { hdr_reg(host) -i ^[a-zA-Z0-9_]+.aaa.bbb.com } !{ ssl_fc }
当然了,也可以重定向也可以用在backend端:
frontend main *:80 default_backend app backend app balance roundrobin server node1 127.0.0.1:81 check weight 3 redir http://www.baidu.cn
将访问的站点重定向到www.baidu.com
参考链接:http://blief.blog.51cto.com/6170059/1752669
http://www.cnblogs.com/ilanni/p/4941056.html
---------------------------------------------------------------------------------
1、haproxy 本身提供ssl 证书,后面的web 服务器走正常的http
2、haproxy 本身只提供代理,后面的web服务器https
第一种方式(推荐)
需要编译haproxy 支持ssl,编译参数:
# yum install openssl-devel -y
# wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
# tar -zxvf haproxy-1.5-dev19.tar.gz ; cd haproxy-1.5-dev19
# make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz # ldd haproxy | grep ssl libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fb0485e5000)
# make install PREFIX=/usr/local/haproxy
haproxy.cfg 配置:
global
maxconn 64000
log 127.0.0.1 local0
chroot /usr/share/haproxy
uid 99
gid 99
daemon
nbproc 4
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option dontlognull
retries 3
option redispatch
option httpclose
balance roundrobin
option forwardfor if-none
maxconn 64000
timeout connect 5000
timeout client 50000
timeout server 50000
frontend https_frontend
bind *:443 ssl crt /etc/ssl/certs/servername.pem
acl host_https_ihouse hdr_beg(host) -i ihouse.xxx.com
use_backend yidongclient_server_https if host_https_ihouse
default_backend web_server
frontend http-in
bind *:80
log global
option httplog
option forwardfor
acl host_manager_uhouse hdr_beg(host) -i manager.u.house.com
use_backend manager_uhouse_server if host_manager_uhouse
backend manager_uhouse_server
balance source
option httpchk HEAD /httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com
server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5
server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5
balance roundrobin cookie SERVERID insert indirect nocache server s1 192.168.250.47:80 check cookie s1 server s2 192.168.250.49:80 check cookie s2
注意:这里的pem 文件是下面两个文件合并而成: # cat servername.crt servername.key |tee servername.pem
按照如上规则如果多个站点就可以使用同样的规则 bind *:443 ssl crt $filepath crt $file2path crt $file3path
通过以上配置可以看出来,frontend与其相对应的backend可以分开,但是其各自acl规则是不同的,必须放在自己所属的区域下面。
第二种方式配置
不需要重新编译支持ssl,简单方便。需要后面的web服务器配置好ssl 即可。
frontend https_frontend bind *:443 mode tcp default_backend web_server backend web_server mode tcp balance roundrobin stick-table type ip size 200k expire 30m stick on src server s1 192.168.250.47:443 server s2 192.168.250.49:443 注意,这种模式下mode 必须是tcp 模式,经测试 frontend 采用mode tcp时,只认可 default_backend 这一个后端,无法使用acl
haproxy.cfg示例文件:
global maxconn 64000 log 127.0.0.1 local0 uid 99 gid 99 daemon defaults log global mode http option dontlognull retries 3 option redispatch option httpclose balance roundrobin maxconn 64000 timeout connect 5000 timeout client 50000 timeout server 50000
frontend yidonghttps-in bind *:443 mode tcp default_backend yidongclient_server_https
frontend http-in bind *:80 mode http log global option httplog option forwardfor
acl host_manager_uhouse hdr_beg(host) -i manager.u.house.com use_backend manager_uhouse_server if host_manager_uhouse
backend yidongclient_server_https
mode tcp
stick-table type ip size 200k expire 30m
stick on src
option ssl-hello-chk
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ ihouse.ifeng.com
server yidonghttps_168 10.0.10.168:443
backend manager_uhouse_server balance source option httpchk HEAD /httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5 server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5
参考资料:https://www.trustasia.com/help/haproxy-ssl.htm