无法使用 ssl 配置 haproxy

Question 1

尝试一下，至少是这个版本（自己构建的）

root@server5:~# haproxy -vv

HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

然后在 haproxy 中尝试这种配置

listen ssl_relay 192.168.128.101:443
    # this only works with 1.5 haproxy, it accepts multiple SSL en sends it 
    # off to the correct backend which does the SSL termination.
    mode tcp
    balance roundrobin
    option tcplog
    option socket-stats
    # option ssl-hello-chk  -> This is not be needed anymore, in fact, 
    # it needs to be off

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback), although chances are it will
    # not route correctly, it will terminate on ssl
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.

    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    # intercept incoming TLS requests based on the SNI field
    use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com }
    use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com }

    use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net }
    use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net } 

    server xtp2_83 192.168.128.1:483 weight 0
    server xtp2_84 192.168.128.2:484 weight 0

    # all the rest is forwarded to this server
    server xtp_default 192.168.128.3:443 check inter 10000 rise 2 fall 2

你只需要在内部网络服务器上终止 SSL。因此，一路加密流量。这对我来说很有效。

Answer

尝试一下，至少是这个版本（自己构建的）

root@server5:~# haproxy -vv

HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

然后在 haproxy 中尝试这种配置

listen ssl_relay 192.168.128.101:443
    # this only works with 1.5 haproxy, it accepts multiple SSL en sends it 
    # off to the correct backend which does the SSL termination.
    mode tcp
    balance roundrobin
    option tcplog
    option socket-stats
    # option ssl-hello-chk  -> This is not be needed anymore, in fact, 
    # it needs to be off

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback), although chances are it will
    # not route correctly, it will terminate on ssl
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.

    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    # intercept incoming TLS requests based on the SNI field
    use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com }
    use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com }

    use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net }
    use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net } 

    server xtp2_83 192.168.128.1:483 weight 0
    server xtp2_84 192.168.128.2:484 weight 0

    # all the rest is forwarded to this server
    server xtp_default 192.168.128.3:443 check inter 10000 rise 2 fall 2

你只需要在内部网络服务器上终止 SSL。因此，一路加密流量。这对我来说很有效。

Question 2

我知道这并不能真正回答您的问题，但您可以尝试用 Pound 替换 HAproxy，它通过 HTTPS 进行配置非常容易，并且在您的情况下它将执行与 HAproxy 相同的操作。

Answer

我知道这并不能真正回答您的问题，但您可以尝试用 Pound 替换 HAproxy，它通过 HTTPS 进行配置非常容易，并且在您的情况下它将执行与 HAproxy 相同的操作。

无法使用 ssl 配置 haproxy

答案1

答案2

相关内容