假设我们在 2 个 apache 前面有 haproxy:
+----> Apache (10.0.0.2)
Haproxy (10.0.0.1) --|
+----> Apache (10.0.0.3)
- Haproxy 配置为基于 URI 负载平衡流量(需要查看 URI,因此必须查看 HTTP 的内容)
- Apache 托管大量域名
- 每个域名都可以通过 haproxy 以 HTTPS 方式访问,haproxy 可以卸载 SSL 并启动与 Apache 的 HTTP 连接
- 每个域名都有自己的 SSL 证书(没有 SAN 或通配符证书)
我看到 Haproxy 允许我们提供包含多个证书的目录,但我无法让它与单个证书一起工作。
这是我的(简化的)配置:
global
[...]
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
# For backends connections
ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
frontend https_frontend
bind 10.0.0.1:443 ssl crt /etc/ssl/private/mycerts/mydomain.pem # HERE WE WANT A DIRECTORY INSTEAD OF A FILE
default_backend apache_backend
backend apache_backend
cookie SRVID insert indirect nocache
# Backends
server apache1 10.0.0.2:80 check maxconn 64
server apache2 10.0.0.3:80 check maxconn 64
# Load Balancing - URI Consistent
balance uri
hash-type consistent
# Options
option http-keep-alive
答案1
您可以使用crt-list
并指向包含证书列表的文件,因此您的前端将读取为
frontend https_frontend
bind 10.0.0.1:443 ssl crt-list /etc/ssl/private/mycerts.txt
default_backend apache_backend
生成列表只需要使用类似下面的命令find /etc/ssl/private/mycerts/ > /etc/ssl/private/mycerts.txt
。更多信息请参见https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt-list