我最近设法配置了 HAproxy.cfg 以在同一端口上运行 HTTPS 和 SSTP,并且可以通过 SNI 识别一些网站流量。但是,由于我有多个域,我更愿意识别 SSTP 并将 HTTPS 作为 default_backend。 如何使用 SSTP 和 HTTPS 配置 HAproxy
如果我将 SSTP 和 HTTPS 与 tshark 进行比较,我会发现以下差异:
使用 IP 地址的 HTTPS:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 61
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
使用域名的HTTPS:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 331
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: server_name (len=26)
Type: server_name (0)
Length: 26
Server Name Indication extension
Server Name list length: 24
Server Name Type: host_name (0)
Server Name length: 21
Server Name: www.example.com
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
顺风车:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 45
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=22)
...
Extension: heartbeat (len=1)
Type: heartbeat (15)
Length: 1
Mode: Peer allowed to send requests (1)
有没有办法在 haproxy.cfg 语法中检查证书状态类型:OCSP或者延伸:心跳?
答案1
这个也破解了。
通过仅查找 SNI 的存在,我不需要列出每个域,并且我可以忍受 IPv4 地址失败。
frontend main 192.168.0.3:443 ssl
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type }
use_backend websites if { req_ssl_sni -m found }
default_backend sstp
我最终在以下位置找到了语法文档 https://www.haproxy.com/de/documentation/hapee/1-7r1/traffic-management/acls/