更新如下
________________我决定使用 HAProxy 作为 SharePoint 站点的反向代理,没有 SSL 一切都运行正常,但使用 SSL 时我无法启动 haproxy.service。我尝试了许多配置,但还是搞不定……
尝试启动服务:
$ sudo systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.
haproxy.service的状态:
$ sudo systemctl status haproxy.service
haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since date CEST;
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: (code=exited, status=0/SUCCESS)
systemd[1]: haproxy.service: Failed with result 'exit-code'.
systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
systemd[1]: Stopped HAProxy Load Balancer.
systemd[1]: haproxy.service: Start request repeated too quickly.
systemd[1]: Failed to start HAProxy Load Balancer.
systemd[1]: haproxy.service: Unit entered failed state.
systemd[1]: haproxy.service: Failed with result 'exit-code'.
systemd[1]: haproxy.service: Start request repeated too quickly.
systemd[1]: Failed to start HAProxy Load Balancer.
systemd[1]: haproxy.service: Failed with result 'exit-code'.
检查配置文件问题:
$ sudo haproxy -c -f haproxy.cfg
Enter PEM pass phrase:
[ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'.
[ALERT]: Error(s) found in configuration file : haproxy.cfg
[ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt').
[ALERT]: Fatal errors found in configuration.
HAProxy -vv:
$ sudo haproxy -vv
HA-Proxy version 1.7.5-2
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e
Running on OpenSSL version : OpenSSL 1.1.0f
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39
Running on PCRE version : 8.39
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
日志:
haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist.
haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg
haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt').
haproxy: [ALERT]: Fatal errors found in configuration.
我在另一台服务器上为 nginx 使用相同的证书(但分为:证书、密钥、链),并且它有效。我使用cat cert.crt priv.key certchain.crt > cert.pem命令为 HAProxy 创建了这个证书,并尝试了不同的顺序,但错误是一样的。此外,使用命令haproxy -c -f haproxy.cfg服务器询问密码短语,所以我认为证书没有问题(也许我错了),配置文件有问题。感谢您的时间和帮助。
我的haproxy.cfg:
global
tune.ssl.default-dh-param 2048
maxconn 4096
user haproxy
group haproxy
daemon
#ssl-server-verify none
defaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
backend sharepoint
mode http
#balance roundrobin
option redispatch
cookie SERVERID insert nocache
server spsrv xxx.xxx.xxx.xxx:80
frontend http_id
#bind *:80
bind *:443 ssl crt ./cert.pem
mode http
reqadd X-Forwarded-Proto:\ https
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
首次更新
我尝试了直通,现在 SharePoint 正在端口 80 上要求输入凭据(禁用 IIS 角色后),然后 SharePoint 重定向到 https,并出现错误“504 网关超时”。这是我当前的 haproxy.cfg:
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443
option ssl-hello-chk
此外,命令:
$ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv返回 401,因此连接有效,但端口为 443 的命令$ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv返回curl: (56) Recv failure: Connection reset by peer。我的配置文件正确吗?或者也许我需要配置 IIS?
第二次更新
重新启动 SharePoint 服务器后,此配置即可使用传递:
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443
option ssl-hello-chk
答案1
您应该避免在配置文件中使用相对路径,例如./cert.pem。请将其更改为绝对路径,例如/etc/ssl/cert.pem(调整为当前路径)。
另外,请检查cert.pem文件本身。它应该只包含可打印的文本(非二进制),且至少包含两个-----BEGIN CERTIFICATE-----,-----END CERTIFICATE-----块(您的证书和来自链的 CA)和一个-----BEGIN PRIVATE KEY-----,-----END PRIVATE KEY-----块(或可能是一个-----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----)。
如果文件中有任何二进制文件cert.pem,则应将原始文件(cert.crt、priv.key)转换为 PEM 格式,cert.pem然后重新创建文件。正确的连接顺序应为最终证书、密钥、直接颁发者、下一个颁发者等。您可以省略根 CA,因为不包含它被认为是一种良好做法(没有实际需要,交换的字节数更少)。
您可以使用 openssl 将二进制格式(又名 DER)转换为文本格式(又名 PEM):
对于证书(input.crt将是 DER 文件并且output.crt将是 PEM 格式的新文件):
openssl x509 -inform DER -in 输入.crt -out 输出.crt
对于密钥(我假设它是一个 RSA 密钥,这是最常见的)注意:它会要求输入一个(新)密码output.key,稍后请参阅我对此的评论。
openssl rsa -inform DER -in 输入.key -out 输出.key
注意:大多数服务器都假设密钥未加密(即,下一行包含-----BEGIN PRIVATE KEY-----)ENCRYPTED。如果是这种情况,并且您的服务器仍然无法启动,请尝试将密钥转换为未加密格式(注意:在此命令中,我假设文件inputcipher.key已经是 PEM 格式):
openssl rsa -in 输入密码.key -nodes -out 输出清除.key
至于出现错误的传递504,在后面的配置中您指向server st1 xxx.xxx.xxx.xxx:443,而在拦截配置中您指向server spsrv xxx.xxx.xxx.xxx:80。请重新检查您的后端是否在端口 80 或端口 443 上监听,但似乎没有后端在端口 443 上监听。
答案2
也许这对某些人有帮助。就我而言,我在 Linux 上配置了两个网络适配器 - 本地网络和公共网络。在 Windows 上,我只有本地网络 - Windows 在本地网络中与 Linux 连接,然后通过 HAProxy 我可以从互联网打开 SharePoint 网站。
这是正确的配置,并且在我的例子中是有效的(对于 SSL,我使用了直通 - 重定向和证书在 Windows IIS 上):
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
server st1 xxx.xxx.xxx.xxx:443 #local address of the Windows server
option ssl-hello-chk