要求:
1、Haproxy必须是需要1.5以上的版本才会支持ssl证书
2、要使用ssl模块,必须要安装openssl软件,版本要注意符合要求
openssl的安装
tar zxf openssl-0.9.8zh.tar.gz
cd openssl-0.9.8zh
./config enable-tlsext --prefix=/usr/local/openssl no-shared
make && make install_sw
#以上安装不影响系统中的openssl版本,主要就是打开openssl的TLS SNI功能
也可以通过yum的方式去安装openssl
Haproxy的安装配置
这里可以使用yum的方式安装,也可以下载二进制包安装:安装方便百度就可以
Haproxy的配置文件
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 20480
uid 99
gid 99
#daemon
tune.ssl.default-dh-param 2048
debug
#quiet
#pidfile /usr/local/haproxy/run/haproxy.pid
#nbproc 2
defaults
log global
mode http
option httplog
option httpclose
option forwardfor
option dontlognull
option redispatch
option originalto
#option abortonclose
balance roundrobin
#balance leastconn
#balance source
stats refresh 30
retries 3
timeout connect 5000
timeout client 2400000
timeout server 2400000
timeout check 5000
listen admin_status
bind 0.0.0.0:81
mode http
log 127.0.0.1 local3 err
stats refresh 30s
stats uri /haproxy-stats
stats realm Welcome CJWL /CJWL
stats auth admin:wangguan
stats hide-version
stats admin if TRUE
errorfile 403 /usr/local/haproxy/errorfiles/403.http
errorfile 500 /usr/local/haproxy/errorfiles/500.http
errorfile 502 /usr/local/haproxy/errorfiles/502.http
errorfile 503 /usr/local/haproxy/errorfiles/503.http
errorfile 504 /usr/local/haproxy/errorfiles/504.http
frontend http_80_in
bind 0.0.0.0:80,0.0.0.0:7070,0.0.0.0:7777
#redirect scheme https if !{ ssl_fc } 把这行开启后,就表示所有http的访问都会自动走ssl证书,跳转走https
# bind 0.0.0.0:4443 ssl crt /usr/local/haproxy/etc/ssl/haproxy.pem~~
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/server.pem
#reqadd X-Forwarded-Proto:/ https
acl testcoms_p hdr_dom(host) -i testcoms.changjiu56.com
acl ssl hdr_reg(host) -i ^(kesungang.changjiu56.com)$
redirect scheme https code 301 if !{ ssl_fc } ssl
acl kesungang_p hdr_dom(host) -i kesungang.xxxx.com
acl cpstest_p hdr_dom(host) -i ^(cpstest.xxx.com)$
acl recapicpstest_p hdr_dom(host) -i ^(rec.api.cpstest.xxxx.com)$
acl g7_ip src 121.2xx.0.0/16 117.50.xxx.0/24
use_backend testcoms.xxxx.com if testcoms_p
use_backend kesungang.xxxx.com if kesungang_p
use_backend bmwpdatest.xxxx.com if bmwpdatest_p
use_backend bmwpda.xxxx.com if bmwpda_p
use_backend srm.xxxx.com if srm_p
use_backend coms.xxx.com if coms_p
#backend wmsims.xxxxx.com
# mode http
# balance source
# option httpchk GET /test/test.html
# server 10.0.3.111:80 10.0.3.111:80 maxconn 5000 check inter 2000 rise 2 fall 3
# http-request set-header X-Forwarded-Port %[dst-Port]
# http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend kesungang.xxxx.com
balance source
#redirect scheme https if !{ ssl_fc }
server 10.0.3.78:80 10.0.3.78:80 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
backend testcoms.xxxx.com
balance source
#option httpchk GET /HealthCheck.html
如果只让一个域名走ssl证书配置
1、在frontend 默认80里面把redirect scheme https if !{ ssl_fc }
注释掉
2、配置acl规则如下
`acl ssl hdr_reg(host) -i ^(kesungang.xxx.com)$
redirect scheme https code 301 if !{ ssl_fc } ssl
acl kesungang_p hdr_dom(host) -i kesungang.xxxx.com
`
多个域名,多个ssl证书配置
frontend http_server
bind :80
bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem
#按照如上规则如果多个站点就可以使用同样的规则 bind :443 ssl crt $filepath crt $file2path crt $file3path
mode http
acl ssl hdr_reg(host) -i ^(www.test.com|admin.test.com|passport.abc.com)$
redirect scheme https code 301 if !{ ssl_fc } ssl
#对以上站点进行https跳转
#在某些情况下,在特定页面需要进行跳转,则
acl ssl_site hdr_reg(host) -i ^(
acl ssl_path path_beg -i /Login /Pay/Pay.aspx
redirect scheme https code 301 if !{ ssl_fc } ssl_site ssl_path
redirect scheme http code 301 if { ssl_fc } ssl_site !ssl_path
#只在/loign /Pay/Pay.aspx页面进行跳转,其他页面使用http
acl wwwtest_com hdr_reg(host) -i ^(www.test.com)$
use_backend www_test_com if wwwtest_com { ssl_fc_sni www.test.com }
#这里就是证书的对应部分,如
acl admintest_com hdr_dom(host) -i admin.test.com
use_backend admin_test_com if admintest_com { ssl_fc_sni admin.test.com }
acl passportabc_com hdr_dom(host) -i passport.abc.com
use_backend pasport_abc_com if passport_abc_com { ssl_fc_sni passport.abc.com }
backend www_test_com
server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1
backend admin_test_com
server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1
backend passport_abc_com
server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/182859.html