HAProxy 和 Nginx SSL 重定向问题

HAProxy 和 Nginx SSL 重定向问题

我有 2 个网站,websitea.com它们websiteb.com托管在两台服务器上10.0.0.810.0.0.12为了实现负载平衡器,我尝试使用此配置使它们同时适用HTTP,HTTPS于这两种协议。

HTTPS运行正常https://websitea.com,但https://websiteb.com总是重定向到,https://websitea.com即使我没有在任何地方配置重定向。请指出我哪里错了,我应该怎么做才能解决这个问题。

global
    ...
    tune.ssl.default-dh-param 2048

defaults
    ....

listen stats :4444
    ...

frontend http-web
    bind *:80
    default_backend     http-in

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend http-in
    redirect scheme https if !{ ssl_fc }
    cookie      SERVERID insert indirect nocache
    option      forwardfor header X-Real-IP
    option      http-server-close
    option      httplog
    balance     roundrobin
    server      web01 10.0.0.8:80 check
    server      web02 10.0.0.12:80 check

frontend https-web
    bind *:443 ssl crt /etc/haproxy/ssl/websitea.pem crt /etc/haproxy/ssl/websiteb.pem
    mode http
    default_backend https-in

backend https-in
    mode http
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    default-server inter 1s
    server  web01 10.0.0.8:443 check ssl verify none
    server  web02 10.0.0.12:443 check ssl verify none

网站a.conf

这是我的 NGINXwebsitea.conf服务器10.0.0.8。服务器的10.0.0.12主要区别仅在于 IP 地址。

server {
        listen   10.0.0.8:443 ssl http2;

        server_name websitea.com;

        # SSL
        ssl_certificate /etc/nginx/ssl/websitea-bundle-full.crt;
        ssl_certificate_key /etc/nginx/ssl/websitea-private.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;    


        access_log /var/log/nginx/websitea.access.log main_ext;
        error_log /var/log/nginx/websitea.errors.log warn;

        ....
    }

网站b.conf

server {
        listen   10.0.0.8:443 ssl http2;

        server_name websiteb.com;

        # SSL
        ssl_certificate /etc/nginx/ssl/websiteb-bundle-full.crt;
        ssl_certificate_key /etc/nginx/ssl/websiteb-private.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;    


        access_log /var/log/nginx/websitea.access.log main_ext;
        error_log /var/log/nginx/websitea.errors.log warn;

        ....
    }

答案1

对于与 websiteb => websitea 相关的重定向,我实在看不出原因。请检查:

  • 正确证明:内容真的有错还是只是证书有错?如果只有证书,请检查与加载证书相关的 haproxy 日志,以及直接证书 - CN、SubjectAlternativeName、Validity;以及证书文件的权限

  • 内容:如果内容错误,我预计重定向来自后端/服务器。在这种情况下,请检查 nginx 配置(在问题中它被减少了),因为我猜测重定向不是由 haproxy 实现的。

正如我在评论中已经写过的,有一个空间可以让它稍微小一点,但行为相同。特别是redirect scheme https if !{ ssl_fc }导致从 http 重定向到 https(确切地说,如果它不安全/不是 https - SSL 或 TLS,它会重定向到 https)。由于您在后端为 http 执行此操作,因此不需要“跳转”到后端,因为这可以直接在前端完成。

除此之外,您还可以拥有一个具有更多bind选项的前端,这样您就可以拥有一个前端,您可以在其中进行定义并强制使用 https。我没有检查您的所有选项以及您在那里使用的原因,我只是“调整”了必要的东西以将它们组合在一起:

  • 在一个前端同时使用 http/https

    bind :*80
    bind *:443 ssl crt /etc/hapr...
    
  • 从选定文件夹加载所有证书(无需列出所有证书)

    ... ssl crt /etc/haproxy/ssl/ ...
    
  • 至少让它有点安全(一旦它公开可用,你可以使用以下方式检查设置ssllabs网页)

    ... no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    
  • 强制所有流量受到保护

    redirect scheme https if !{ ssl_fc }
    

您的配置可能需要进行以下更改:

global
    ...
    tune.ssl.default-dh-param 2048

defaults
    ....

listen stats :4444
    ...

frontend web
    mode http
    bind *:80
    bind *:443 ssl crt /etc/haproxy/ssl/ no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    redirect scheme https if !{ ssl_fc }
    default_backend https-in

backend https-in
    mode http
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    default-server inter 1s
    server  web01 10.0.0.8:443 check ssl verify none
    server  web02 10.0.0.12:443 check ssl verify none

不需要其他前端或后端。

答案2

已解决,主要问题是我连续两次定义证书。证书不应在 Nginx 配置中定义,而应在 Haproxy 配置中定义。

相关内容