Linux-haproxy实现https


设备

centos7   10.0.0.27    client   客户端

centos7   10.0.017     haproxy服务器

centos8    10.0.0.8     httpd服务器

centos8    10.0.0.18    httpd服务器

 

haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信 但基于性能考虑,生产中证书都是在后端服务器比如nginx、apache上实现

 

证书制作  haproxy服务器

[root@centos7-liyj /etc/haproxy/conf.d/ssl]#openssl genrsa -out haproxy.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
............+++
e is 65537 (0x10001)
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.lyj.org" -keyout haproxy.key -nodes -x509 -out haproxy.crt
Generating a 1024 bit RSA private key
...........++++++
......................++++++
writing new private key to 'haproxy.key'
-----
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#ll
total 8
-rw-r--r-- 1 root root 745 Jun 18 17:15 haproxy.crt
-rw-r--r-- 1 root root 916 Jun 18 17:15 haproxy.key
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#cat haproxy.key haproxy.crt >haproxy.pem  #指令 crt 后证书文件为PEM格式,需要同时包含证书和所有私钥

Linux-haproxy实现https

[root@centos7-liyj /etc/haproxy/conf.d/ssl]#openssl x509 -in haproxy.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            cd:77:70:77:7c:c8:de:d6
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=www.lyj.org
        Validity
            Not Before: Jun 18 09:15:43 2022 GMT
            Not After : Jul 18 09:15:43 2022 GMT
        Subject: CN=www.lyj.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cf:d6:3c:38:df:81:f0:cc:0c:7d:8b:18:68:ba:
                    41:5f:e5:40:24:e8:b1:ea:48:ab:98:f1:da:eb:3a:
                    89:fd:8a:d4:09:a1:30:95:99:cd:70:79:14:e0:41:
                    0b:87:65:7f:c2:1e:fb:72:77:79:92:64:52:6b:2d:
                    85:1e:47:7c:62:21:cd:22:a8:fe:87:d8:12:a3:01:
                    ce:73:2e:8a:05:f5:0b:5e:48:f1:20:8d:23:07:5b:
                    e1:bd:4b:54:3d:44:ff:b8:f3:28:59:9f:a6:8d:10:
                    b7:b5:11:b1:0e:79:8c:5c:97:68:c9:ae:80:41:d6:
                    9d:f8:d7:7f:58:5f:68:dd:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                57:C7:5F:61:84:1A:E4:3D:76:B0:67:30:D1:AA:D9:11:BF:D7:F5:8C
            X509v3 Authority Key Identifier: 
                keyid:57:C7:5F:61:84:1A:E4:3D:76:B0:67:30:D1:AA:D9:11:BF:D7:F5:8C

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         c2:7d:b6:e7:fd:10:04:cd:ac:1e:16:8a:af:17:65:e6:0d:6b:
         40:a4:fa:d3:5e:e7:59:bd:fa:c2:d7:de:7e:8f:a7:47:3e:a5:
         37:56:b3:c8:1b:a5:1a:68:42:ab:4e:2e:13:d7:29:18:c6:5b:
         2a:53:c6:99:98:38:85:04:60:34:a1:b0:4c:13:70:6d:28:a8:
         8b:74:a2:0f:58:a4:34:b5:d1:44:29:a5:85:06:ca:10:e2:7a:
         6c:f5:48:46:bc:94:bf:bb:e8:76:65:06:66:02:ed:97:df:52:
         d7:23:3b:a7:b8:26:27:e4:f0:c5:6b:1d:4f:aa:04:7d:1f:81:
         e2:fa
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#ll
total 12
-rw-r--r-- 1 root root  745 Jun 18 17:15 haproxy.crt
-rw-r--r-- 1 root root  916 Jun 18 17:15 haproxy.key
-rw-r--r-- 1 root root 1661 Jun 18 17:16 haproxy.pem
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#cat haproxy.pem 
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAM/WPDjfgfDMDH2L
GGi6QV/lQCTosepIq5jx2us6if2K1AmhMJWZzXB5FOBBC4dlf8Ie+3J3eZJkUmst
hR5HfGIhzSKo/ofYEqMBznMuigX1C15I8SCNIwdb4b1LVD1E/7jzKFmfpo0Qt7UR
sQ55jFyXaMmugEHWnfjXf1hfaN3fAgMBAAECgYEApX84sSj5NZ+mCooqQ6qcyBmq
/Dj3A1IeoklkQ493thdIROq/30B7oKYqA3CIF6axFwjIvRt6CSItpv62U6gk2Cgj
3p0Nyln8zD5fJxtdTtFhea5vOGQGfKDuNHCocaRk2dh3i3C8AwgODxgc0gH81DY5
36AVDaDBQGrijlD1DbECQQDpoYUjtW60Qdi9o693fqJZdL7BJ1EXYBYruCB22sYT
Y6nYgSXL4GWLW5DzSvgkgT0d1oznfMQPHOHzg1jLUBKbAkEA47x7UxcVluJFtAun
/IY+ByzOQEprZpRYoQZf1xb2CXDSCx2LPg9YlfHwxtDcRDGZ19Nfr3Q2Rvmcz5UY
FECEDQJBANYCiBQywWrLmn/0ren3DT6Gi6ohms2fzg9URiC5vJHMTKwveXDtZ/ck
9H14oh/GZzaq7z2pc2somO3Y1oC/I5sCQDFFXx0r+mTJkbERcIfG93aP8BOixjfM
UpyMB4I+mn6SZS84dh64LT9Lt/8bwvwSCynRtnr8Vp3mdVHH/QyspKUCQQCI22V6
Y9tCWknoS/APrIzL63EGzBR37E3s6sm04QhlSriK0Zmd4EeoyYImS9omdYHhYn6F
drbNhUlHKuxfS1mf
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIB+jCCAWOgAwIBAgIJAM13cHd8yN7WMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC3d3dy5seWoub3JnMB4XDTIyMDYxODA5MTU0M1oXDTIyMDcxODA5MTU0M1ow
FjEUMBIGA1UEAwwLd3d3Lmx5ai5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAM/WPDjfgfDMDH2LGGi6QV/lQCTosepIq5jx2us6if2K1AmhMJWZzXB5FOBB
C4dlf8Ie+3J3eZJkUmsthR5HfGIhzSKo/ofYEqMBznMuigX1C15I8SCNIwdb4b1L
VD1E/7jzKFmfpo0Qt7URsQ55jFyXaMmugEHWnfjXf1hfaN3fAgMBAAGjUDBOMB0G
A1UdDgQWBBRXx19hhBrkPXawZzDRqtkRv9f1jDAfBgNVHSMEGDAWgBRXx19hhBrk
PXawZzDRqtkRv9f1jDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAMJ9
tuf9EATNrB4Wiq8XZeYNa0Ck+tNe51m9+sLX3n6Pp0c+pTdWs8gbpRpoQqtOLhPX
KRjGWypTxpmYOIUEYDShsEwTcG0oqIt0og9YpDS10UQppYUGyhDiemz1SEa8lL+7
6HZlBmYC7ZffUtcjO6e4Jifk8MVrHU+qBH0fgeL6
-----END CERTIFICATE-----

证书内容

 

https配置  hproxy服务器

frontend N65_web_https
   bind 10.0.0.17:80
###########################acl setting######################
   #acl acl_static path_beg -i /static /images /javascript
   #acl acl_static path_end -i .jpg .jpeg .png .gif .css .js .html .htm
   #acl acl_app    path_beg -i /api
   bind 10.0.0.17:443 ssl crt /etc/haproxy/conf.d/ssl/haproxy.pem  #支持https协议,支持ssl会话
   redirect scheme https if !{ ssl_fc }                            #把80端口的请求重向定443
   use_backend httpd_https
###########################acl hosts######################
   #use_backend N65_webserver
   #use_backend static_hosts if acl_static
   #default_backend app_hosts

backend  httpd_https
   server 10.0.0.8   10.0.0.8:80  check
   server 10.0.0.18  10.0.0.18:80 check


#backend static_hosts
#   server 10.0.0.8   10.0.0.8:80 check
#backend app_hosts 
#   server 10.0.0.18  10.0.0.18:80 check

#backend  N65_webserver
#   server 10.0.0.8   10.0.0.8:80
#   server 10.0.0.18  10.0.0.18:80

补充

#向后端传递用户请求的协议和端口(frontend或backend)
 http_request set-header X-Forwarded-Port %[dst_port]
 http_request add-header X-Forwared-Proto https if { ssl_fc }

日志开启IP透传

 

测试

[root@centos7-liyj ~]#curl -k  https://www.lyj.org/
10.0.0.8
[root@centos7-liyj ~]#curl -k  https://www.lyj.org/
10.0.0.18
[root@centos7-liyj ~]#curl -k  https://www.lyj.org/
10.0.0.8
[root@centos7-liyj ~]#curl -k  https://www.lyj.org/
10.0.0.18
[root@centos7-liyj ~]#curl -k  https://www.lyj.org/
10.0.0.8

 

Linux-haproxy实现https

 

 

Linux-haproxy实现https

 

原创文章,作者:Maggie-Hunter,如若转载,请注明出处:https://blog.ytso.com/268300.html

(0)
上一篇 2022年6月19日
下一篇 2022年6月19日

相关推荐

发表回复

登录后才能评论