HAProxy- https实现

HAProxy https实现

#配置HAProxy支持https协议，支持ssl会话；
    bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE   

#crt 后证书文件为PEM格式，且同时包含证书和所有私钥   
        cat  demo.crt demo.key > demo.pem 

#把80端口的请求重向定443
    bind *:80
    redirect scheme https if !{ ssl_fc }    

#向后端传递用户请求的协议和端口（frontend或backend）
    http_request set-header X-Forwarded-Port %[dst_port]
    http_request add-header X-Forwared-Proto https if { ssl_fc }

证书制作

#方法1
[root@centos7 ~]mkdir /etc/haproxy/certs/
[root@centos7 ~]cd /etc/haproxy/certs/
[root@centos7 certs]#openssl  genrsa -out haproxy.key 2048
[root@centos7 certs]#openssl  req -new -x509 -key haproxy.key  -out haproxy.crt -subj "/CN=www.magedu.org"
#或者用下一条命令实现
[root@centos7 certs]#openssl req  -x509 -newkey rsa:2048 -subj "/CN=www.magedu.org" -keyout haproxy.key -nodes -days 365 -out haproxy.crt

[root@centos7 certs]#cat haproxy.key  haproxy.crt  > haproxy.pem
[root@centos7 certs]#openssl  x509 -in  haproxy.pem -noout -text        #查看证书

#方法2
[root@centos7 ~]#mkdir /etc/haproxy/certs/
[root@centos7 ~]#cd /etc/pki/tls/certs
[root@centos7 certs]#make /etc/haproxy/certs/haproxy.pem 
umask 77 ; /
PEM1=/bin/mktemp /tmp/openssl.XXXXXX ; /
PEM2=/bin/mktemp /tmp/openssl.XXXXXX ; /
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout PEM1 -nodes -x509 -days 365 -outPEM2  ; /
cat PEM1> /etc/haproxy/certs/haproxy.pem ; /
echo ""    >> /etc/haproxy/certs/haproxy.pem ; /
catPEM2 >> /etc/haproxy/certs/haproxy.pem ; /
rm -f PEM1PEM2
Generating a 2048 bit RSA private key
.+++
..............................................+++
writing new private key to '/tmp/openssl.x8hOA8'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:
[root@centos7 certs]#ll /etc/haproxy/certs/
total 4
-rw------- 1 root root 3027 Apr  4 10:35 haproxy.pem

https配置示例

[root@centos7 ~]#cat  /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  bind 10.0.0.7:443 ssl crt /etc/haproxy/certs/haproxy.pem
  redirect scheme https if !{ ssl_fc }        # 注意{ }内的空格
  http-request  set-header  X-forwarded-Port   %[dst_port]
  http-request  add-header  X-forwarded-Proto  https if { ssl_fc } 
  mode http
  balance  roundrobin
  log global
  option httplog
###################### acl setting ###############################
  acl mobile_domain hdr_dom(host)   -i mobile.magedu.org
###################### acl hosts #################################
  default_backend pc_hosts 
################### backend hosts #################################
backend mobile_hosts
  mode http
  server web1 10.0.0.17:80 check inter 2000 fall 3 rise 5

backend pc_hosts
  mode http
  #http-request  set-header  X-forwarded-Port   %[dst_port] 也可加在此处
  #http-request  add-header  X-forwarded-Proto  https if { ssl_fc } 
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

[root@centos7 ~]#ss -ntl
State      Recv-Q Send-Q          Local Address:Port   Peer Address:Port              
LISTEN     0      100                 127.0.0.1:25                 *:*                  
LISTEN     0      128                  10.0.0.7:443                *:*                  
LISTEN     0      128                         *:9999               *:*                  
LISTEN     0      128                  10.0.0.7:80                 *:*                  
LISTEN     0      128                         *:22                 *:*                  
LISTEN     0      128                      [::]:22                 [::]:*   

修改后端服务器的日志格式

[root@centos27 ~]#vim /etc/httpd/conf/httpd.conf 
LogFormat "%h %l %u %t /"%r/" %>s %b /"%{Referer}i/" /"%{User-Agent}i/" /"%{X-Forwarded-Port}i/" /"%{X-Forwarded-Proto}i/"" combined  

验证https

[root@centos6 ~]#curl -IkL  http://www.magedu.org
HTTP/1.1 302 Found
content-length: 0
location: https://www.magedu.org/
cache-control: no-cache

HTTP/1.1 200 OK
date: Sat, 04 Apr 2020 02:31:31 GMT
server: Apache/2.4.6 (CentOS) PHP/5.4.16
last-modified: Thu, 02 Apr 2020 01:44:13 GMT
etag: "a-5a244f01f8adc"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8

[root@centos6 ~]#curl -Ik  https://www.magedu.org
HTTP/1.1 200 OK
date: Sat, 04 Apr 2020 02:31:50 GMT
server: Apache/2.4.6 (CentOS) PHP/5.4.16
last-modified: Thu, 02 Apr 2020 01:44:28 GMT
etag: "a-5a244f0fd5175"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8

#查看后端服务器的访问日志
[root@centos27 ~]#tail /var/log/httpd/access_log
10.0.0.7 - - [04/Apr/2020:10:40:17 +0800] "HEAD / HTTP/1.1" 200 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "443" "https"

本文链接：http://www.yunweipai.com/35315.html