Haproxy 使用 ssl-503 将内部域重定向到外部

Haproxy 使用 ssl-503 将内部域重定向到外部

我有一个lb,它使用 SSLhaproxy将流量从myexternaldomain.com重定向到,如下所示:myinternaldomain.com

global
        log /dev/log    local0
        log /dev/log    local1 info
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        debug
        maxconn 2048

defaults
        log     global
        mode    http
        option  httplog
        option  http-server-close
        option  dontlognull
        timeout connect 25000
        timeout client  250000
        timeout server  250000


frontend https
        bind *:443 ssl crt /etc/haproxy/certs
        acl mydomain_acl hdr_beg(host) -i myexternaldomain.com

        option forwardfor
        redirect scheme https code 301 if registry_acl !{ ssl_fc }
        use_backend mydomain if mydomain_acl
        default_backend k8s_ingress_http

frontend mydomain_out
        bind 10.200.0.2:35100 ssl crt /etc/haproxy/certs/myexternaldomain.com.pem
        mode http
        option accept-invalid-http-request
        default_backend mydomain

backend k8s_ingress_http
        mode http
        balance roundrobin
        server anotherserver server.com:32080 check

backend mydomain
        mode http
        balance roundrobin
        server mydomain myinternaldomain.com:443 check ssl verify none

通过此配置,我能够将流量重定向到来自隔离容器集群内部的myinternaldomain.comvia 。然而本周初,这开始返回 503 错误:myexternaldomain.com:35100

$ curl -v "https://myexternaldomain.com:35100/"
*   Trying 10.200.0.2...
* TCP_NODELAY set
* Connected to myexternaldomain.com (10.200.0.2) port 35100 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=myexternaldomain.com
*  start date: May  8 13:45:29 2019 GMT
*  expire date: Aug  6 13:45:29 2019 GMT
*  subjectAltName: host "myexternaldomain.com" matched cert's "myexternaldomain.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: myexternaldomain.com:35100
> User-Agent: curl/7.52.1
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Curl_http_done: called premature == 0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):

从 haproxy 本身尝试时出现相同错误:

# curl --insecure https://10.200.0.2:35100
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

然而, Haproxy 本身仍然可以达到myinternaldomain.com良好的效果:

# curl  myinternaldomain.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>some title here</title>
<meta http-equiv="REFRESH" content="0;url=/">
</head>
<body>

</body>

从第一次 curl 可以看出,sslmyexternaldomain.com仍然有效。

这两个域或端点均未发生任何变化,因此myinternaldomain.com不会造成这种情况。所以现在,说实话,我有点不知所措!

到目前为止,我已经尝试删除 SSL 仅使用纯 http,但无济于事(同样的 503 错误)..指定的 IP 地址将对后端的 haproxy 进行调用..登录时/var/log/haproxy*没有显示任何内容,但 haproxy 服务正在启动/停止。

抱歉,问题问得有点模糊,但是我是否遗漏了什么明显的内容?

答案1

因此,事实证明我尝试访问的外部域最近已更新为仅接受来自正确域名的标头。

haproxy 似乎无法通过 https 修改标头(可以理解),所以我不得不采用隧道方法。

相关内容