Haproxy ssl 直通中断 curl 请求

tag-icon tag-icon haproxy
Haproxy ssl 直通中断 curl 请求

我已将 Haproxy 配置为 TCP 模式,以在 2 台服务器之间实现平衡,并通过 https 连接与它们建立连接。问题是,当我的前端处于 tcp 模式时,curl 请求无法正常进行。

这是我得到的:

* Rebuilt URL to: https://HOSTNAME/
*   Trying IP...
* Connected to HOSTNAME (IP) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*    server certificate verification OK
*    server certificate status verification SKIPPED
*    common name: HOSTNAME (matched)
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: CN=HOSTNAME
*    start date: Sun, 03 Jul 2016 13:07:00 GMT
*    expire date: Sat, 01 Oct 2016 13:07:00 GMT
*    issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*    compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: HOSTNAME
> User-Agent: curl/7.47.0
> Accept: */*
> 
* Connection #0 to host HOSTNAME left intact
����%

这是我的haproxy.cfg:

global
    log 127.0.0.1 local0 notice
    maxconn 2000
    user haproxy
    group haproxy
    stats socket /etc/haproxy/sock.stat level admin
    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers kEECDH+AESGCM+AES128:kEECDH+AES128:kRSA+AESGCM+AES128:kRSA+AES128:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2
    tune.ssl.default-dh-param 2048
defaults
    log global
    retries 3
    option redispatch
    timeout connect 5000
    timeout client 5000
    timeout server 5000
frontend https
    mode tcp
    option tcplog
    bind :443 ssl crt /etc/letsencrypt/live/HOSTNAME/haproxy.pem ciphers TLSv1.2 alpn h2,http/1.1
    default_backend nodes
    backend nodes
    mode tcp
    option tcplog
    server node-nginx 172.17.0.73:9999 check
    server node-maint 172.17.0.74:9999 backup
frontend http
    bind :80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }

我能做些什么吗?我需要 OpenGraph 预览,但因此失败了。

答案1

问题是该配置根本不处理 HTTP 1.1 请求。您必须为 HTTP1.1 请求定义一个新的后端块。由于我的服务器由 nginx 提供支持,因此我按以下方式进行操作:

listen 9999 default_server;
listen 9998 default_server http2;

我的后端如下所示:

backend nodes-http2
    mode tcp
    option tcplog
    server node-nginx 172.17.0.73:9998 check
    server node-maint 172.17.0.74:9998 backup

为了重定向 HTTP2 用户,我将此内容添加到frontend https部分:

use_backend nodes-http2 if { ssl_fc_alpn -i h2 }

相关内容