赞
踩
haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信。但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现
#配置HAProxy支持https协议,支持ssl会话;
bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE
#指令crt后证书文件为PEM格式,需要同时包含证书和所有私钥
cat demo.key demo.crt > demo.pem
#把80端口的请求重向定443
bind *:80
redirect scheme https if !{ ssl_fc }
#向后端传递用户请求的协议和端口(frontend或backend)
http_request set-header X-Forwarded-Port %[dst_port]
http_request add-header X-Forwared-Proto https if { ssl_fc }
[root@haproxy ~]#cd /etc/pki/tls/certs/ [root@haproxy certs]#mkdir /etc/haproxy/conf.d/ssl [root@haproxy certs]#vim Makefile %.key: umask 77 ; \ #/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ /usr/bin/openssl genrsa $(KEYLEN) > $@ [root@haproxy certs]#make /etc/haproxy/conf.d/ssl/www.linux2022.com.crt umask 77 ; \ #/usr/bin/openssl genrsa -aes128 2048 > /etc/haproxy/conf.d/ssl/www.linux2022.com.key /usr/bin/openssl genrsa 2048 > /etc/haproxy/conf.d/ssl/www.linux2022.com.key Generating RSA private key, 2048 bit long modulus .................................................+++ ............................+++ e is 65537 (0x10001) umask 77 ; \ /usr/bin/openssl req -utf8 -new -key /etc/haproxy/conf.d/ssl/www.linux2022.com.key -x509 -days 365 -out /etc/haproxy/conf.d/ssl/www.linux2022.com.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:linux2022 Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:www.linux2022.com Email Address []: [root@haproxy certs]#cd /etc/haproxy/conf.d/ssl/ [root@haproxy ssl]#ls www.linux2022.com.crt www.linux2022.com.key [root@haproxy ssl]#cat www.linux2022.com.key www.linux2022.com.crt > www.linux2022.com.pem
[root@haproxy ssl]#cd .. [root@haproxy conf.d]#ls ssl test.cfg [root@haproxy conf.d]#vim test.cfg listen ha1_https_443 bind 10.0.0.7:80 bind 10.0.0.7:443 ssl crt /etc/haproxy/conf.d/ssl/www.linux2022.com.pem redirect scheme https if !{ ssl_fc } http-request set-header X-forwarded-Port %[dst_port] http-request add-header X-forwarded-Proto https if { ssl_fc } balance roundrobin server rs1 10.0.0.17:80 check inter 3000 fall 2 rise 5 server rs2 10.0.0.27:80 check inter 3000 fall 2 rise 5 [root@haproxy conf.d]#systemctl restart haproxy.service [root@haproxy conf.d]#ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:9999 *:* LISTEN 0 128 10.0.0.7:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 10.0.0.7:443 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 100 [::1]:25 [::]:*
[root@rs1 html]#vim /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-forwarded-Port}i\" \"%{X-forwarded-Proto}i\"" combined
[root@rs1 html]#httpd -t
[root@rs1 html]#systemctl restart httpd.service
[root@rs2 html]#vim /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-forwarded-Port}i\" \"%{X-forwarded-Proto}i\"" combined
[root@rs2 html]#httpd -t
[root@rs2 html]#systemctl restart httpd.service
[root@rs1 ~]#cd /var/www/html [root@rs1 html]#hostname -I > index.html [root@rs1 html]#cat index.html 10.0.0.17 [root@rs2 ~]#cd /var/www/html [root@rs2 html]#cat index.html 10.0.0.27 [root@client ~]#cat /etc/hosts 10.0.0.7 www.linux2022.com [root@client ~]#curl -k https://10.0.0.7 10.0.0.17 [root@client ~]#curl -k https://10.0.0.7 10.0.0.27 [root@client ~]#curl -k https://10.0.0.7 10.0.0.17 [root@client ~]#curl -k https://10.0.0.7 10.0.0.27 [root@client ~]#curl -Ik https://10.0.0.7 HTTP/1.1 200 OK date: Thu, 21 Apr 2022 23:56:52 GMT server: Apache/2.4.6 (CentOS) last-modified: Tue, 19 Apr 2022 13:49:35 GMT etag: "a-5dd0225b759a2" accept-ranges: bytes content-length: 10 content-type: text/html; charset=UTF-8 [root@client ~]#curl -ILk http://10.0.0.7 HTTP/1.1 302 Found content-length: 0 location: https://10.0.0.7/ cache-control: no-cache HTTP/1.1 200 OK date: Thu, 21 Apr 2022 23:55:11 GMT server: Apache/2.4.6 (CentOS) last-modified: Tue, 19 Apr 2022 13:49:35 GMT etag: "a-5dd0225b759a2" accept-ranges: bytes content-length: 10 content-type: text/html; charset=UTF-8
[root@rs1 html]#tail /var/log/httpd/access_log -f
10.0.0.7 - - [22/Apr/2022:08:10:22 +0800] "GET / HTTP/1.1" 200 11 "-" "curl/7.58.0" "443" "https"
[root@rs2 html]#tail /var/log/httpd/access_log -f
10.0.0.7 - - [22/Apr/2022:08:10:23 +0800] "GET / HTTP/1.1" 200 10 "-" "curl/7.58.0" "443" "https"
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。