我们有一个具有典型配置的虚拟化服务器(esxi):
[客户端] https -> [pfsense -> haproxy] - http -> [vm]
现在我正尝试用 gitlab 配置一个新的虚拟服务器,但我找不到正确的配置,在私有网络内部,gitlab 工作正常,但当我尝试从外部访问时,haproxy 会响应 503 错误。在阅读并尝试了几种配置后,我无法使其工作,我确信这是 nginx 的问题(或者我是这样认为的),因为如果在同一台服务器上安装 apache(只是为了测试),该服务器从外部就可以正常工作。
目标是这样的:
[客户端] https -> [pfsense -> haproxy] - http -> [gitlab]
Pfsense 有 ipen 端口 80 和 443(我不确定我们是否需要为 ssh 或 unicorn 打开另一个端口)
一些配置:
gitlab.rc
external_url 'https://mydomain.extension'
Haproxy(对其他虚拟机运行良好)
global
maxconn 10000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
frontend http_redirectTo_https
bind publicIP:80 name publicIP:80
mode http
log global
option httpclose
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
redirect scheme https code 301 if !{ ssl_fc }
frontend https_input
bind publicIP:443 name publicIP:443 ssl ssl crt /certs/certific.pem no-sslv3 crt /var/etc/haproxy/https_frontend.pem
mode http
log global
option http-keep-alive
timeout client 30000
acl aclAdm hdr(host) -i adm.domain.ext
acl aclOne hdr(host) -i one.domain.ext
acl aclTwo hdr(host) -i two.domain.ext
acl aclGit hdr(host) -i git.domain.ext
use_backend adm_backend_http_ipvANY if aclAdm
use_backend one_backend_http_ipvANY if aclOne
use_backend two_backend_http_ipvANY if aclTwo
use_backend git_backend_http_ipvANY if aclGit
我删除了其他后端
backend git_backend_http_ipvANY
mode http
log global
balance leastconn
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server gitServer private_ip:80 check inter 1000
我猜问题出在 nginx 上,谢谢!
答案1
问题是,haproxy 没有检测到服务器启动,所以我们怀疑健康检查配置有错误:
option httpchk OPTIONS /
我只是将其更改为基本检查,haproxy 就可以正确检测服务器,事实上,工作正常。