我在 Amazon ALB(应用程序负载均衡器)后面有一个 HAProxy,http/80 健康检查没有问题,但 https/443 却给我 503,即使该网站可用且没有问题
以下是我在 HAProxy 日志中看到的内容:
4/26/2018 3:19:47 AMApr 26 00:19:47 localhost haproxy[4494]: 172.30.139.183:31696 [26/Apr/2018:00:19:47.961] 443~ 443/<NOSRV> -1/-1/-1/-1/4 503 213 - - SC-- 2/0/0/0/0 0/0 "GET / HTTP/1.1"
这是我的 HAProxy 配置:
global
ssl-default-bind-options no-sslv3
log 10.42.74.144:5000 local0
log 127.0.0.1:8514 local0
chroot /var/lib/haproxy
daemon
group haproxy
maxconn 4096
maxpipes 1024
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m
user haproxy
defaults
log global
option httplog
mode http
timeout connect 5000
timeout server 160000
timeout client 160000
option httpclose
option forceclose
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
maxconn 4096
option forwardfor
option http-server-close
option redispatch
retries 3
resolvers rancher
nameserver dnsmasq 169.254.169.250:53
listen default
bind *:42
frontend 9765
bind *:9765 ssl crt /etc/haproxy/certs/current/example.com.pem ssl crt /etc/haproxy/certs/current
mode http
acl 9765_test_example_com__host hdr(host) -i test.example.com
acl 9765_test_example_com__host hdr(host) -i test.example.com:9765
use_backend 9765_test_example_com_ if 9765_test_example_com__host
frontend 80
bind *:80
mode http
default_backend 80_
frontend 5600
bind *:5600 ssl crt /etc/haproxy/certs/current/example.com.pem ssl crt /etc/haproxy/certs/current
mode http
acl 5600_elk_test_example_com__host hdr(host) -i elk.test.example.com
acl 5600_elk_test_example_com__host hdr(host) -i elk.test.example.com:5600
use_backend 5600_elk_test_example_com_ if 5600_elk_test_example_com__host
frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current/example.com.pem ssl crt /etc/haproxy/certs/current
http-request set-src hdr(x-forwarded-for)
http-request set-src hdr(x-real-ip)
mode http
acl 443_xyz_test_example_com_api_v3_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_api_v3_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_api_v3_path path_beg -i /api/v3
use_backend 443_xyz_test_example_com_api_v3 if 443_xyz_test_example_com_api_v3_host 443_xyz_test_example_com_api_v3_path
acl 443_xyz_test_example_com_demo_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_demo_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_demo_path path_beg -i /demo
use_backend 443_xyz_test_example_com_demo if 443_xyz_test_example_com_demo_host 443_xyz_test_example_com_demo_path
acl 443_xyz_test_example_com_guard_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_guard_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_guard_path path_beg -i /guard
use_backend 443_xyz_test_example_com_guard if 443_xyz_test_example_com_guard_host 443_xyz_test_example_com_guard_path
acl 443_xyz_test_example_com_docs_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_docs_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_docs_path path_beg -i /docs
use_backend 443_xyz_test_example_com_docs if 443_xyz_test_example_com_docs_host 443_xyz_test_example_com_docs_path
acl 443_xyz_test_example_com__host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com__host hdr(host) -i xyz.test.example.com:443
use_backend 443_xyz_test_example_com_ if 443_xyz_test_example_com__host
acl 443_abc_test_example_com_settings_host hdr(host) -i abc.test.example.com
acl 443_abc_test_example_com_settings_host hdr(host) -i abc.test.example.com:443
acl 443_abc_test_example_com_settings_path path_beg -i /settings
use_backend 443_abc_test_example_com_settings if 443_abc_test_example_com_settings_host 443_abc_test_example_com_settings_path
acl 443_abc_test_example_com__host hdr(host) -i abc.test.example.com
acl 443_abc_test_example_com__host hdr(host) -i abc.test.example.com:443
use_backend 443_abc_test_example_com_ if 443_abc_test_example_com__host
acl 443_mb_test_example_com__host hdr(host) -i mb.test.example.com
acl 443_mb_test_example_com__host hdr(host) -i mb.test.example.com:443
use_backend 443_mb_test_example_com_ if 443_mb_test_example_com__host
acl 443_fgh_test_example_com__host hdr(host) -i fgh.test.example.com
acl 443_fgh_test_example_com__host hdr(host) -i fgh.test.example.com:443
use_backend 443_fgh_test_example_com_ if 443_fgh_test_example_com__host
acl 443_test_example_com__host hdr(host) -i test.example.com
acl 443_test_example_com__host hdr(host) -i test.example.com:443
use_backend 443_test_example_com_ if 443_test_example_com__host
acl 443_www_test_example_com__host hdr(host) -i www.test.example.com
acl 443_www_test_example_com__host hdr(host) -i www.test.example.com:443
use_backend 443_www_test_example_com_ if 443_www_test_example_com__host
backend 9765_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server c0abff8ff53e7eb0c2871da1d52fc51d0efc5065 10.42.31.29:80 cookie c0abff8ff53e7eb0c2871da1d52fc51d0efc5065
backend 80_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server 4492af01cd1d23a2c4e3d9243cb4e50d09162edf 10.42.55.231:80 cookie 2dd1d23a291dfc49201c2e4afb4e50d033ce6449
backend 5600_elk_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 2000
cookie idsession insert domain test.example.com
mode http
server 23ff4a32aec3cafa9d1fdc8a6591cfc83c8b45cd 10.42.211.19:5600 check port 5600 inter 2000 rise 2 fall 3 cookie 23ff4a32aec3cafa9d1fdc8a6591cfc83c8b45cd
backend 443_xyz_test_example_com_api_v3
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server 5f9f2d6d447d598916598880d9389e0170e7e3aa 10.42.68.211:3000 cookie 5f9f2d6d447d598916598880d9389e0170e7e3aa
backend 443_xyz_test_example_com_demo
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server fa74d3cf56e66212ec875e0b92c2b670fb99754f 10.42.0.89:80 cookie fa74d3cf56e66212ec875e0b92c2b670fb99754f
backend 443_xyz_test_example_com_guard
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 60000
option httpchk GET "/guard/health" "HTTP/1.1\r\nHost: xyz.test.example.com"
cookie idsession insert domain test.example.com
mode http
server e0c95be63cd81c7671748b7ff8d96e86e3d0b0a8 10.42.208.41:80 check port 80 inter 2000 rise 2 fall 3 cookie e0c95be63cd81c7671748b7ff8d96e86e3d0b0a8
backend 443_xyz_test_example_com_docs
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server b40feb86b28112d96aa8af75544dfea594ef32c1 10.42.21.153:80 cookie b40feb86b28112d96aa8af75544dfea594ef32c1
backend 443_xyz_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 60000
option httpchk GET "/health" "HTTP/1.1\r\nHost: xyz.test.example.com"
cookie idsession insert domain test.example.com
mode http
server 002c117a2eab4ec0accf6343fc48c16896f301f3 10.42.5.159:80 check port 80 inter 2000 rise 2 fall 3 cookie 002c117a2eab4ec0accf6343fc48c16896f301f3
backend 443_abc_test_example_com_settings
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 60000
option httpchk GET "/settings/health" "HTTP/1.1\r\nHost: abc.test.example.com"
cookie idsession insert domain test.example.com
mode http
server c702bff8af5259921616ccaab19cf87b78490fbc 10.42.84.238:80 check port 80 inter 2000 rise 2 fall 3 cookie c702bff8af5259921616ccaab19cf87b78490fbc
backend 443_abc_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 60000
option httpchk GET "/health" "HTTP/1.1\r\nHost: abc.test.example.com"
cookie idsession insert domain test.example.com
mode http
server 871fdd922c10878663616084dca6df63574c0103 10.42.249.170:80 check port 80 inter 2000 rise 2 fall 3 cookie 871fdd922c10878663616084dca6df63574c0103
backend 443_mb_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server 928e481473de26ee572194a9885ed29281cc50ca 10.42.223.173:8080 cookie 928e481473de26ee572194a9885ed29281cc50ca
backend 443_fgh_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 60000
option httpchk GET "/health" "HTTP/1.1\r\nHost: fgh.test.example.com"
cookie idsession insert domain test.example.com
mode http
server 6d9f03cdd2515fbe025d0d688d043e34ec45ffcc 10.42.248.45:80 check port 80 inter 2000 rise 2 fall 3 cookie 6d9f03cdd2515fbe025d0d688d043e34ec45ffcc
backend 443_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e 10.42.137.206:80 cookie 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e
backend 443_www_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
cookie idsession insert domain test.example.com
mode http
server 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e 10.42.137.206:80 cookie 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e
谢谢!
答案1
您需要default_backend
为您的frontend 443