更新如下

更新如下

更新如下

________________

我决定使用 HAProxy 作为 SharePoint 站点的反向代理,没有 SSL 一切都运行正常,但使用 SSL 时我无法启动 haproxy.service。我尝试了许多配置,但还是搞不定……

尝试启动服务:

$ sudo systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.

haproxy.service的状态:

$ sudo systemctl status haproxy.service
     haproxy.service - HAProxy Load Balancer
       Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since date CEST;
         Docs: man:haproxy(1)
               file:/usr/share/doc/haproxy/configuration.txt.gz
      Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
      Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
     Main PID: (code=exited, status=0/SUCCESS)
 systemd[1]: haproxy.service: Failed with result 'exit-code'.
 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
 systemd[1]: Stopped HAProxy Load Balancer.
 systemd[1]: haproxy.service: Start request repeated too quickly.
 systemd[1]: Failed to start HAProxy Load Balancer.
 systemd[1]: haproxy.service: Unit entered failed state.
 systemd[1]: haproxy.service: Failed with result 'exit-code'.
 systemd[1]: haproxy.service: Start request repeated too quickly.
 systemd[1]: Failed to start HAProxy Load Balancer.
 systemd[1]: haproxy.service: Failed with result 'exit-code'.

检查配置文件问题:

$ sudo haproxy -c -f haproxy.cfg
    Enter PEM pass phrase:
    [ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'.
    [ALERT]: Error(s) found in configuration file : haproxy.cfg
    [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt').    
    [ALERT]: Fatal errors found in configuration.

HAProxy -vv:

$ sudo haproxy -vv
HA-Proxy version 1.7.5-2

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e
Running on OpenSSL version : OpenSSL 1.1.0f
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39
Running on PCRE version : 8.39
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [COMP] compression
        [TRACE] trace
        [SPOE] spoe

日志:

 haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist.
 haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg
 haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt').
 haproxy: [ALERT]: Fatal errors found in configuration.

我在另一台服务器上为 nginx 使用相同的证书(但分为:证书、密钥、链),并且它有效。我使用cat cert.crt priv.key certchain.crt > cert.pem命令为 HAProxy 创建了这个证书,并尝试了不同的顺序,但错误是一样的。此外,使用命令haproxy -c -f haproxy.cfg服务器询问密码短语,所以我认为证书没有问题(也许我错了),配置文件有问题。感谢您的时间和帮助。

我的haproxy.cfg:

    global    
        tune.ssl.default-dh-param 2048
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        #ssl-server-verify none
    
    defaults
        mode http
        option forwardfor
        log 127.0.0.1 local0 notice
        maxconn 2000
        option httplog
        option dontlognull
        timeout connect 5000
        timeout client 50000
        timeout server 50000
            
    backend sharepoint
        mode http
        #balance roundrobin
        option redispatch
        cookie SERVERID insert nocache
        server spsrv xxx.xxx.xxx.xxx:80
            
    frontend http_id
        #bind *:80
        bind *:443 ssl crt ./cert.pem
        mode http
        reqadd X-Forwarded-Proto:\ https
        acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443
        use_backend sharepoint if hosts_sharepoint
        default_backend sharepoint

首次更新

我尝试了直通,现在 SharePoint 正在端口 80 上要求输入凭据(禁用 IIS 角色后),然后 SharePoint 重定向到 https,并出现错误“504 网关超时”。这是我当前的 haproxy.cfg:

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    cookie SERVERID insert indirect nocache
    server st1 xxx.xxx.xxx.xxx:443
    option ssl-hello-chk

此外,命令: $ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv返回 401,因此连接有效,但端口为 443 的命令$ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv返回curl: (56) Recv failure: Connection reset by peer。我的配置文件正确吗?或者也许我需要配置 IIS?

第二次更新

重新启动 SharePoint 服务器后,此配置即可使用传递

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    cookie SERVERID insert indirect nocache
    server st1 xxx.xxx.xxx.xxx:443
    option ssl-hello-chk

答案1

您应该避免在配置文件中使用相对路径,例如./cert.pem。请将其更改为绝对路径,例如/etc/ssl/cert.pem(调整为当前路径)。

另外,请检查cert.pem文件本身。它应该只包含可打印的文本(非二进制),且至少包含两个-----BEGIN CERTIFICATE-----,-----END CERTIFICATE-----块(您的证书和来自链的 CA)和一个-----BEGIN PRIVATE KEY-----,-----END PRIVATE KEY-----块(或可能是一个-----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----)。

如果文件中有任何二进制文件cert.pem,则应将原始文件(cert.crtpriv.key)转换为 PEM 格式,cert.pem然后重新创建文件。正确的连接顺序应为最终证书、密钥、直接颁发者、下一个颁发者等。您可以省略根 CA,因为不包含它被认为是一种良好做法(没有实际需要,交换的字节数更少)。

您可以使用 openssl 将二进制格式(又名 DER)转换为文本格式(又名 PEM):

对于证书(input.crt将是 DER 文件并且output.crt将是 PEM 格式的新文件):

openssl x509 -inform DER -in 输入.crt -out 输出.crt

对于密钥(我假设它是一个 RSA 密钥,这是最常见的)注意:它会要求输入一个(新)密码output.key,稍后请参阅我对此的评论。

openssl rsa -inform DER -in 输入.key -out 输出.key

注意:大多数服务器都假设密钥未加密(即,下一行包含-----BEGIN PRIVATE KEY-----ENCRYPTED。如果是这种情况,并且您的服务器仍然无法启动,请尝试将密钥转换为未加密格式(注意:在此命令中,我假设文件inputcipher.key已经是 PEM 格式):

openssl rsa -in 输入密码.key -nodes -out 输出清除.key

至于出现错误的传递504,在后面的配置中您指向server st1 xxx.xxx.xxx.xxx:443,而在拦截配置中您指向server spsrv xxx.xxx.xxx.xxx:80。请重新检查您的后端是否在端口 80 或端口 443 上监听,但似乎没有后端在端口 443 上监听。

答案2

也许这对某些人有帮助。就我而言,我在 Linux 上配置了两个网络适配器 - 本地网络和公共网络。在 Windows 上,我只有本地网络 - Windows 在本地网络中与 Linux 连接,然后通过 HAProxy 我可以从互联网打开 SharePoint 网站。

这是正确的配置,并且在我的例子中是有效的(对于 SSL,我使用了直通 - 重定向和证书在 Windows IIS 上):

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    server st1 xxx.xxx.xxx.xxx:443 #local address of the Windows server
    option ssl-hello-chk

相关内容