赞
踩
通过haproxy redirect请求重定向的方法实现HTTP跳转HTTPS
配置实现http跳转到https,采用redirect重定向的做法,只需在frontend端添加:
frontend http-inbind*:80bind *:443 ssl crt /etc/haproxy/aaa.bbb.pem
redirect scheme https if !{ ssl_fc }
redirect scheme httpsif!{ ssl_fc } 表示所有http站点都会跳转到https,如果只针对某一站点或某一URL进行跳转的话:
redirect scheme https if { hdr_beg(host) -i aaa.bbb.com } !{ ssl_fc }
redirect scheme https if { hdr_reg(host) -i ^[a-zA-Z0-9_]+.aaa.bbb.com } !{ ssl_fc }
当然了,也可以重定向也可以用在backend端:
frontend main *:80default_backend app
backend app
balance roundrobin
server node1127.0.0.1:81 check weight 3 redir http://www.baidu.cn
将访问的站点重定向到www.baidu.com
参考链接:http://blief.blog.51cto.com/6170059/1752669
http://www.cnblogs.com/ilanni/p/4941056.html
---------------------------------------------------------------------------------
1、haproxy 本身提供ssl 证书,后面的web 服务器走正常的http
2、haproxy 本身只提供代理,后面的web服务器https
第一种方式(推荐)
需要编译haproxy 支持ssl,编译参数:
# yum install openssl-devel -y
# wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
# tar -zxvf haproxy-1.5-dev19.tar.gz ; cd haproxy-1.5-dev19
# make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz
# ldd haproxy|grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fb0485e5000)
# make install PREFIX=/usr/local/haproxy
haproxy.cfg 配置:
global
maxconn 64000
log 127.0.0.1 local0
chroot /usr/share/haproxy
uid 99
gid 99
daemon
nbproc 4
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option dontlognull
retries 3
option redispatch
option httpclose
balance roundrobin
option forwardfor if-none
maxconn 64000
timeout connect 5000
timeout client 50000
timeout server 50000
frontend https_frontend
bind *:443 ssl crt /etc/ssl/certs/servername.pem
acl host_https_ihouse hdr_beg(host) -i ihouse.xxx.com
use_backend yidongclient_server_https if host_https_ihouse
default_backend web_server
frontend http-in
bind *:80
log global
option httplog
option forwardfor
acl host_manager_uhouse hdr_beg(host) -i manager.u.house.comuse_backend manager_uhouse_server if host_manager_uhouse
backend manager_uhouse_server
balance source
option httpchk HEAD /httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com
server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5
server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5
backend yidongclient_server_https
balance roundrobin
cookie SERVERID insert indirect nocache
server s1192.168.250.47:80check cookie s1
server s2192.168.250.49:80check cookie s2
注意:这里的pem 文件是下面两个文件合并而成:
# cat servername.crt servername.key|tee servername.pem
按照如上规则如果多个站点就可以使用同样的规则 bind *:443 ssl crt $filepath crt $file2path crt $file3path
通过以上配置可以看出来,frontend与其相对应的backend可以分开,但是其各自acl规则是不同的,必须放在自己所属的区域下面。
第二种方式配置
不需要重新编译支持ssl,简单方便。需要后面的web服务器配置好ssl 即可。
frontend https_frontend
bind*:443mode tcp
default_backend web_server
backend web_server
mode tcp
balance roundrobin
stick-table type ip size 200k expire 30m
stick on src
server s1192.168.250.47:443server s2192.168.250.49:443注意,这种模式下mode 必须是tcp 模式,经测试 frontend 采用mode tcp时,只认可 default_backend 这一个后端,无法使用acl
haproxy.cfg示例文件:
globalmaxconn64000log127.0.0.1local0
uid99gid99daemon
defaults
logglobalmode http
option dontlognull
retries3option redispatch
option httpclose
balance roundrobin
maxconn64000timeout connect5000timeout client50000timeout server50000frontend yidonghttps-in
bind *:443mode tcp
default_backend yidongclient_server_httpsfrontend http-inbind*:80mode http
logglobaloption httplog
option forwardfor
acl host_manager_uhouse hdr_beg(host)-i manager.u.house.com
use_backend manager_uhouse_serverifhost_manager_uhouse
backend yidongclient_server_https
mode tcp
stick-table type ip size 200k expire 30m
stick on src
option ssl-hello-chk
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ ihouse.ifeng.com
server yidonghttps_168 10.0.10.168:443
backend manager_uhouse_server
balance source
option httpchk HEAD/httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com
server mannager_uhouse_4810.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5server mannager_uhouse_4910.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5
参考资料:https://www.trustasia.com/help/haproxy-ssl.htm
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。