我有一个lb,它使用 SSLhaproxy将流量从myexternaldomain.com重定向到,如下所示:myinternaldomain.com
global
log /dev/log local0
log /dev/log local1 info
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
debug
maxconn 2048
defaults
log global
mode http
option httplog
option http-server-close
option dontlognull
timeout connect 25000
timeout client 250000
timeout server 250000
frontend https
bind *:443 ssl crt /etc/haproxy/certs
acl mydomain_acl hdr_beg(host) -i myexternaldomain.com
option forwardfor
redirect scheme https code 301 if registry_acl !{ ssl_fc }
use_backend mydomain if mydomain_acl
default_backend k8s_ingress_http
frontend mydomain_out
bind 10.200.0.2:35100 ssl crt /etc/haproxy/certs/myexternaldomain.com.pem
mode http
option accept-invalid-http-request
default_backend mydomain
backend k8s_ingress_http
mode http
balance roundrobin
server anotherserver server.com:32080 check
backend mydomain
mode http
balance roundrobin
server mydomain myinternaldomain.com:443 check ssl verify none
通过此配置,我能够将流量重定向到来自隔离容器集群内部的myinternaldomain.comvia 。然而本周初,这开始返回 503 错误:myexternaldomain.com:35100
$ curl -v "https://myexternaldomain.com:35100/"
* Trying 10.200.0.2...
* TCP_NODELAY set
* Connected to myexternaldomain.com (10.200.0.2) port 35100 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=myexternaldomain.com
* start date: May 8 13:45:29 2019 GMT
* expire date: Aug 6 13:45:29 2019 GMT
* subjectAltName: host "myexternaldomain.com" matched cert's "myexternaldomain.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: myexternaldomain.com:35100
> User-Agent: curl/7.52.1
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Curl_http_done: called premature == 0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
从 haproxy 本身尝试时出现相同错误:
# curl --insecure https://10.200.0.2:35100
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
然而, Haproxy 本身仍然可以达到myinternaldomain.com良好的效果:
# curl myinternaldomain.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>some title here</title>
<meta http-equiv="REFRESH" content="0;url=/">
</head>
<body>
</body>
从第一次 curl 可以看出,sslmyexternaldomain.com仍然有效。
这两个域或端点均未发生任何变化,因此myinternaldomain.com不会造成这种情况。所以现在,说实话,我有点不知所措!
到目前为止,我已经尝试删除 SSL 仅使用纯 http,但无济于事(同样的 503 错误)..指定的 IP 地址将对后端的 haproxy 进行调用..登录时/var/log/haproxy*没有显示任何内容,但 haproxy 服务正在启动/停止。
抱歉,问题问得有点模糊,但是我是否遗漏了什么明显的内容?
答案1
因此,事实证明我尝试访问的外部域最近已更新为仅接受来自正确域名的标头。
haproxy 似乎无法通过 https 修改标头(可以理解),所以我不得不采用隧道方法。