因此我让 HAproxy 在虚拟 IP 上监听 http/https。
我有两台 Apache2(apacheserver1 和 apacheserver2)服务器提供网络流量服务。
一切运行正常 - 我正在提供网页服务,我的客户端被迫使用 https,我的 SSL 证书已正确签名,并且我的用户可以使用 Finder(Mac)和 Nautilus(Linux)连接到他们的 WebDAV 区域。
伟大的。
现在,严重的问题来了——Windows 客户端无法通过 WebDAV 连接。
命令如下:
net use X: \\myserver.com@SSL\home\eamorr
错误如下:
System error 67 has occurred.
(我可以很好地连接到https://myserver.com/home/eamorr在 Mac/Linux 上)
当我做:
net use X: \\apacheserver1.com@8080\home\eamorr
它运行良好(我直接连接到 apacheserver1:8080 - 没有 SSL)。
当我做:
net use X: \\apacheserver1.com@SSL@8081\home\eamorr
它工作正常(我直接连接到 apacheserver1:8081-已启用 SSL)。
但是当我通过 haproxy 时,它就是不起作用......
这是我的 haproxy 配置:
frontend www-http
bind 137.43.99.100:80 #A virtual IP
#reqadd X-Forwarded-Proto:\ http
default_backend http-backend
frontend www-https
bind 137.43.93.215:443 ssl crt /etc/apache2/ssl/combined.pem
#reqadd X-Forwarded-Proto:\ http
#reqirep Destination:\ https(.*) Destination:\ http\\1
#rspidel ^translate
default_backend http-backend
backend http-backend
cookie JSESSIONID insert
#reqirep Destination:\ https(.*) Destination:\ http\\1
server apacheserver1 137.43.99.101:8080 cookie apacheserver1 check
server apacheserver2 137.43.99.102:8080 cookie apacheserver2 check
#redirect scheme https if !{ ssl_fc } #forces https!
#option forwardfor
#http-request set-header X-Forwarded-Port %[dst_port]
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
当我尝试通过
net use X: \\myserver.com@SSL\home\eamorr #Windows 命令
这是服务器端 HAProxy 日志(/var/log/haproxy.log):
Mar 5 11:51:00 apacheserver1 haproxy[22786]: 137.43.130.107:51168 [05/Mar/2015:11:50:25.233] www-https~ http-backend/apacheserver1 35691/0/1/11/35703 301 511 - - --NI 1/1/0/1/0 0/0 "OPTIONS /home/eamorr HTTP/1.1"
Mar 5 11:51:01 apacheserver1 haproxy[22786]: 137.43.130.107:51168 [05/Mar/2015:11:51:00.936] www-https~ http-backend/apacheserver1 97/0/0/2/99 301 497 - - --NI 1/1/0/1/0 0/0 "OPTIONS /home HTTP/1.1"
以下是 Apache2 的输出(启用了 trace8 调试信息):
Request received from client: OPTIONS /home HTTP/1.1
Headers received from client:
User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
translate: f
Host: myserver.com
AH01626: authorization result of Require all granted: granted
AH01626: authorization result of <RequireAny>: granted
request authorized without authentication by access_checker_ex hook: /home
fixups hook gave 301: /home
Response sent with status 301, headers:
Date: Thu, 05 Mar 2015 12:09:50 GMT
Server: Apache/2.4.7 (Ubuntu)
Location: http://myserver.com/home/
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
core_output_filter: flushing because of FLUSH bucket
core_output_filter: flushing because of FLUSH bucket
当我从 Linux 连接时(工作正常!),我得到以下信息/var/log/haproxy.log:
Mar 5 12:20:10 apacheserver1 haproxy[22786]: 137.43.130.107:51295 [05/Mar/2015:12:20:10.062] www-https~ http-backend/apacheserver1 114/0/0/14/128 200 303 - - --NI 1/1/0/1/0 0/0 "OPTIONS /home/eamorr HTTP/1.1"
Mar 5 12:20:10 apacheserver1 haproxy[22786]: 137.43.130.107:51295 [05/Mar/2015:12:20:10.190] www-https~ http-backend/apacheserver1 3/0/0/3/6 207 474 - - --VN 1/1/0/1/0 0/0 "PROPFIND /home/eamorr HTTP/1.1"
Mar 5 12:20:10 apacheserver1 haproxy[22786]: 137.43.130.107:51295 [05/Mar/2015:12:20:10.196] www-https~ http-backend/apacheserver1 1/0/0/2/3 200 172 - - --VN 1/1/0/1/0 0/0 "OPTIONS /home/ HTTP/1.1"
Mar 5 12:20:10 apacheserver1 haproxy[22786]: 137.43.130.107:51295 [05/Mar/2015:12:20:10.200] www-https~ http-backend/apacheserver1 31/0/0/3/34 207 901 - - --VN 1/1/0/1/0 0/0 "PROPFIND /home/eamorr HTTP/1.1"
Mar 5 12:20:10 apacheserver1 haproxy[22786]: 137.43.130.107:51295 [05/Mar/2015:12:20:10.234] www-https~ http-backend/apacheserver1 52/0/0/10/62 207 2188 - - --VN 1/1/0/1/0 0/0 "PROPFIND /home/eamorr HTTP/1.1"
以下是 Apache2 的输出:
Request received from client: OPTIONS /home/eamorr HTTP/1.1
Setting redirect-carefully
Headers received from client:
Host: myserver.com
Accept-Encoding: gzip, deflate
User-Agent: gvfs/1.20.1
Accept-Language: en-ie, en;q=0.9, en;q=0.8
AH01626: authorization result of Require all granted: granted
AH01626: authorization result of <RequireAny>: granted
request authorized without authentication by access_checker_ex hook: /home/eamorr
Content-Type 'application/octet-stream' ...
... did not match 'application/xml'
Content-Type condition for 'deflate' did not match
Content-Type 'application/octet-stream' ...
... did not match 'application/rss+xml'
Content-Type condition for 'deflate' did not match
Content-Type 'application/octet-stream' ...
... did not match 'application/x-javascript'
... did not match 'application/javascript'
... did not match 'application/ecmascript'
Content-Type condition for 'deflate' did not match
Content-Type 'application/octet-stream' ...
... did not match 'text/css'
Content-Type condition for 'deflate' did not match
Content-Type 'application/octet-stream' ...
... did not match 'text/html'
... did not match 'text/plain'
... did not match 'text/xml'
Content-Type condition for 'deflate' did not match
Response sent with status 200, headers:
Date: Thu, 05 Mar 2015 12:15:44 GMT
Server: Apache/2.4.7 (Ubuntu)
DAV: 1,2
DAV: <http://apache.org/dav/propset/fs/1>
MS-Author-Via: DAV
Allow: OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK
Content-Length: 0
core_output_filter: flushing because of FLUSH bucket
我真的真的被困在这儿了。
Apache/2.4.7(Ubuntu 14.04.2)haproxy 1.5.11
答案1
当请求通过 haproxy 时,Apache 服务器会收到非 TLS 请求。当请求路径上mod_dav缺少尾随时,通常会进行重定向,并且它会发送错误的标头。Apache 有一个不以 开头的。/Location:Servernamehttps://
在您的日志文件中,301有这样的重定向,并且其内容明确说明:
Location: http://myserver.com/home/
您可以将 Apache 配置设置为以下内容:
ServerName https://myserver.com
但是,这将阻止您在不通过 haproxy 的情况下使用 webdav。您可能需要设置另一个VirtualHost才能这样做。其他解决方案,例如使用mod_rewrite 可能工作。
答案2
尝试简单地用以下内容替换与您的 webdav 配置相关的所有前端/后端;
listen webdavname :80 mode tcp server fooserver 137.43.99.101:8080 check
其中监听端口是您想要监听的 haproxy 端口,fooserver 上的端口是您托管 webdav 的实际端口。您还可以按照 haproxy 手册中的说明使用更多几行来设置负载平衡。