Haproxy(SSL) 背后的 Gitlab

tag-icon tag-icon ssl https haproxy gitlab
Haproxy(SSL) 背后的 Gitlab

我们有一个具有典型配置的虚拟化服务器(esxi):

[客户端] https -> [pfsense -> haproxy] - http -> [vm]

现在我正尝试用 gitlab 配置一个新的虚拟服务器,但我找不到正确的配置,在私有网络内部,gitlab 工作正常,但当我尝试从外部访问时,haproxy 会响应 503 错误。在阅读并尝试了几种配置后,我无法使其工作,我确信这是 nginx 的问题(或者我是这样认为的),因为如果在同一台服务器上安装 apache(只是为了测试),该服务器从外部就可以正常工作。

目标是这样的:

[客户端] https -> [pfsense -> haproxy] - http -> [gitlab]

Pfsense 有 ipen 端口 80 和 443(我不确定我们是否需要为 ssh 或 unicorn 打开另一个端口)

一些配置:

gitlab.rc
external_url 'https://mydomain.extension'

Haproxy(对其他虚拟机运行良好)

global
maxconn         10000
stats socket /tmp/haproxy.socket level admin
uid         80
gid         80
nbproc          1
chroot          /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param   2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

frontend http_redirectTo_https
    bind            publicIP:80 name publicIP:80   
    mode            http
    log         global
    option          httpclose
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    timeout client      30000
    redirect scheme https code 301 if !{ ssl_fc }

frontend https_input
    bind            publicIP:443 name publicIP:443 ssl ssl  crt /certs/certific.pem no-sslv3 crt /var/etc/haproxy/https_frontend.pem  
    mode            http
    log         global
    option          http-keep-alive
    timeout client      30000
    acl         aclAdm  hdr(host) -i adm.domain.ext
    acl         aclOne  hdr(host) -i one.domain.ext
    acl         aclTwo  hdr(host) -i two.domain.ext
    acl         aclGit  hdr(host) -i git.domain.ext
    use_backend adm_backend_http_ipvANY  if  aclAdm 
    use_backend one_backend_http_ipvANY  if  aclOne 
    use_backend two_backend_http_ipvANY  if  aclTwo
    use_backend git_backend_http_ipvANY  if  aclGit

我删除了其他后端

backend git_backend_http_ipvANY
    mode            http
    log         global
    balance         leastconn
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk OPTIONS / 
    option forwardfor
    option http-server-close
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    server          gitServer private_ip:80 check inter 1000

我猜问题出在 nginx 上,谢谢!

答案1

问题是,haproxy 没有检测到服务器启动,所以我们怀疑健康检查配置有错误:

option          httpchk OPTIONS /

我只是将其更改为基本检查,haproxy 就可以正确检测服务器,事实上,工作正常。

相关内容