我遇到了一个奇怪的情况,HAProxy 被用来从一个 IP 反向代理多个站点。这没问题,以前在早期版本中可以正常工作。这个最新安装和类似的配置拒绝匹配某些主机名,并一直指向默认后端。我已经从 haproxy 1.7.2 升级到 1.7.4,但这种行为仍然存在。
整个配置文件(修改的域)如下...
# Automaticaly generated, dont edit manually.
# Generated on: 2017-04-03 22:22
global
maxconn 4096
log /var/run/log local0 err
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname pfSense-HaProxy
server-state-file /tmp/haproxy_server_state
# Modern browser compatibility only as mentioned here:
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
ssl-server-verify none
tune.ssl.maxrecord 1370
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 60
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend my-domain
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443 ssl force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 crt /var/etc/haproxy/my-domain.pem crt /var/etc/haproxy/my-domain
mode http
log global
option dontlognull
option dontlog-normal
option httplog
option http-server-close
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
maxconn 4096
timeout client 36000
option forwardfor
option http-server-close
option tcplog
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
http-request set-header X-Forwarded-Port %[dst_port]
redirect scheme https code 301 if !{ ssl_fc }
# Remove headers that expose security-sensitive information.
rspidel ^Server:.*$
rspidel ^X-Powered-By:.*$
rspidel ^X-AspNet-Version:.*$
acl rancher_acl hdr(host) -i rancher.my-domain.com
acl nexus_acl hdr(host) -i nexus.my-domain.com
acl docker-registry_acl hdr(host) -i docker-registry.my-domain.com
acl docker-proxy_acl hdr(host) -i docker-proxy.my-domain.com
acl test_acl hdr(host) -i test.my-domain.com
acl pfsense_acl hdr(host) -i pfsense.my-domain.com
acl www_my-domain_acl hdr(host) -i my-domain.com
acl www_my-domain_acl hdr(host) -i www.my-domain.com
acl crm_acl hdr(host) -i crm.my-domain.com
acl git_acl hdr(host) -i git.my-domain.com
acl sonar_acl hdr(host) -i sonar.my-domain.com
acl teamcity_acl hdr(host) -i teamcity.my-domain.com
acl upsource_acl hdr(host) -i upsource.my-domain.com
acl wiki_acl hdr(host) -i wiki.my-domain.com
acl youtrack_acl hdr(host) -i youtrack.my-domain.com
acl hub_acl hdr(host) -i hub.my-domain.com
use_backend nexus_be_http_ipvANY if nexus_acl
use_backend docker-registry-be_http_ipvANY if docker-registry_acl
use_backend docker-registry-proxy-be_http_ipvANY if docker-proxy_acl
use_backend pfsense_be_http_ipvANY if pfsense_acl
use_backend rancher_be_http_ipvANY if rancher_acl is_websocket
use_backend test_be_http_ipvANY if test_acl
use_backend www_my-domain_be_http_ipvANY if www_my-domain_acl
use_backend test_be_http_ipvANY if crm_acl
use_backend test_be_http_ipvANY if git_acl
use_backend test_be_http_ipvANY if sonar_acl
use_backend test_be_http_ipvANY if teamcity_acl
use_backend test_be_http_ipvANY if upsource_acl
use_backend test_be_http_ipvANY if wiki_acl
use_backend test_be_http_ipvANY if youtrack_acl
use_backend test_be_http_ipvANY if hub_acl
default_backend www_my-domain_be_http_ipvANY
backend nexus_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server nexus_server 192.168.2.1:8081
backend docker-registry-be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server nexus-server 192.168.2.1:8082
backend docker-registry-proxy-be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server nexus-server 192.168.2.1:8083
backend pfsense_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server pfsense_server 192.168.2.1:1433 ssl verify none
backend rancher_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server rancher_server 192.168.2.2:8080
backend test_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server test-server 192.168.2.1:8000
backend www_my-domain_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server wp-dev_shm 192.168.2.2:8000
无论我做什么,我都无法访问 rancher.my-domain.com,我被难住了。什么情况可能导致上述 thisdoesnot 的请求始终指向默认后端(或者当我删除默认后端的配置时指向 503?)。
我遇到的另一个问题是日志记录。无论我设置了什么日志记录,我都会得到一个静态的、不增长的日志文件,其中包含二进制垃圾而不是实际文本。我也希望有一个可行的示例日志记录答案(不是主要问题)。
答案1
对 ACL 进行排序后,通过两个规则来实现 OR 条件。
use_backend rancher_be_http_ipvANY if rancher_acl
use_backend rancher_be_http_ipvANY if rancher_acl is_websocket