HAProxy 1.7.2 拒绝匹配 ACL 中的主机

HAProxy 1.7.2 拒绝匹配 ACL 中的主机

我遇到了一个奇怪的情况,HAProxy 被用来从一个 IP 反向代理多个站点。这没问题,以前在早期版本中可以正常工作。这个最新安装和类似的配置拒绝匹配某些主机名,并一直指向默认后端。我已经从 haproxy 1.7.2 升级到 1.7.4,但这种行为仍然存在。

整个配置文件(修改的域)如下...

# Automaticaly generated, dont edit manually.
# Generated on: 2017-04-03 22:22
global
    maxconn         4096
    log         /var/run/log    local0  err
    stats socket /tmp/haproxy.socket level admin
    uid         80
    gid         80
    nbproc          1
    chroot          /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param   2048
    log-send-hostname       pfSense-HaProxy
    server-state-file /tmp/haproxy_server_state
    # Modern browser compatibility only as mentioned here:
    # https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

    ssl-server-verify none
    tune.ssl.maxrecord 1370

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats refresh 60
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

frontend my-domain
    bind            0.0.0.0:80 name 0.0.0.0:80   
    bind            0.0.0.0:443 name 0.0.0.0:443 ssl  force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 crt /var/etc/haproxy/my-domain.pem crt /var/etc/haproxy/my-domain  
    mode            http
    log         global
    option          dontlognull
    option          dontlog-normal
    option          httplog
    option          http-server-close
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    maxconn         4096
    timeout client      36000
    option forwardfor
    option http-server-close
    option tcplog

    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket hdr_beg(Host) -i ws

    http-request set-header X-Forwarded-Port %[dst_port]

    redirect scheme https code 301 if !{ ssl_fc }

    # Remove headers that expose security-sensitive information.
      rspidel ^Server:.*$
      rspidel ^X-Powered-By:.*$
      rspidel ^X-AspNet-Version:.*$
    acl         rancher_acl hdr(host) -i rancher.my-domain.com
    acl         nexus_acl   hdr(host) -i nexus.my-domain.com
    acl         docker-registry_acl hdr(host) -i docker-registry.my-domain.com
    acl         docker-proxy_acl    hdr(host) -i docker-proxy.my-domain.com
    acl         test_acl    hdr(host) -i test.my-domain.com
    acl         pfsense_acl hdr(host) -i pfsense.my-domain.com
    acl         www_my-domain_acl   hdr(host) -i my-domain.com
    acl         www_my-domain_acl   hdr(host) -i www.my-domain.com
    acl         crm_acl hdr(host) -i crm.my-domain.com
    acl         git_acl hdr(host) -i git.my-domain.com
    acl         sonar_acl   hdr(host) -i sonar.my-domain.com
    acl         teamcity_acl    hdr(host) -i teamcity.my-domain.com
    acl         upsource_acl    hdr(host) -i upsource.my-domain.com
    acl         wiki_acl    hdr(host) -i wiki.my-domain.com
    acl         youtrack_acl    hdr(host) -i youtrack.my-domain.com
    acl         hub_acl hdr(host) -i hub.my-domain.com
    use_backend nexus_be_http_ipvANY  if  nexus_acl 
    use_backend docker-registry-be_http_ipvANY  if  docker-registry_acl 
    use_backend docker-registry-proxy-be_http_ipvANY  if  docker-proxy_acl 
    use_backend pfsense_be_http_ipvANY  if  pfsense_acl 
    use_backend rancher_be_http_ipvANY  if  rancher_acl is_websocket 
    use_backend test_be_http_ipvANY  if  test_acl 
    use_backend www_my-domain_be_http_ipvANY  if  www_my-domain_acl 
    use_backend test_be_http_ipvANY  if  crm_acl 
    use_backend test_be_http_ipvANY  if  git_acl 
    use_backend test_be_http_ipvANY  if  sonar_acl 
    use_backend test_be_http_ipvANY  if  teamcity_acl 
    use_backend test_be_http_ipvANY  if  upsource_acl 
    use_backend test_be_http_ipvANY  if  wiki_acl 
    use_backend test_be_http_ipvANY  if  youtrack_acl 
    use_backend test_be_http_ipvANY  if  hub_acl 
    default_backend www_my-domain_be_http_ipvANY

backend nexus_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus_server 192.168.2.1:8081  

backend docker-registry-be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus-server 192.168.2.1:8082  

backend docker-registry-proxy-be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus-server 192.168.2.1:8083  

backend pfsense_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          pfsense_server 192.168.2.1:1433 ssl  verify none 

backend rancher_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          rancher_server 192.168.2.2:8080  

backend test_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          test-server 192.168.2.1:8000  

backend www_my-domain_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          wp-dev_shm 192.168.2.2:8000

无论我做什么,我都无法访问 rancher.my-domain.com,我被难住了。什么情况可能导致上述 thisdoesnot 的请求始终指向默认后端(或者当我删除默认后端的配置时指向 503?)。

我遇到的另一个问题是日志记录。无论我设置了什么日志记录,我都会得到一个静态的、不增长的日志文件,其中包含二进制垃圾而不是实际文本。我也希望有一个可行的示例日志记录答案(不是主要问题)。

答案1

对 ACL 进行排序后,通过两个规则来实现 OR 条件。

use_backend rancher_be_http_ipvANY  if  rancher_acl
use_backend rancher_be_http_ipvANY  if  rancher_acl is_websocket

相关内容