我有 2 个网站,websitea.com
它们websiteb.com
托管在两台服务器上10.0.0.8
,10.0.0.12
为了实现负载平衡器,我尝试使用此配置使它们同时适用HTTP,HTTPS
于这两种协议。
HTTPS
运行正常https://websitea.com
,但https://websiteb.com
总是重定向到,https://websitea.com
即使我没有在任何地方配置重定向。请指出我哪里错了,我应该怎么做才能解决这个问题。
global
...
tune.ssl.default-dh-param 2048
defaults
....
listen stats :4444
...
frontend http-web
bind *:80
default_backend http-in
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend http-in
redirect scheme https if !{ ssl_fc }
cookie SERVERID insert indirect nocache
option forwardfor header X-Real-IP
option http-server-close
option httplog
balance roundrobin
server web01 10.0.0.8:80 check
server web02 10.0.0.12:80 check
frontend https-web
bind *:443 ssl crt /etc/haproxy/ssl/websitea.pem crt /etc/haproxy/ssl/websiteb.pem
mode http
default_backend https-in
backend https-in
mode http
balance roundrobin
stick-table type ip size 200k expire 30m
stick on src
default-server inter 1s
server web01 10.0.0.8:443 check ssl verify none
server web02 10.0.0.12:443 check ssl verify none
网站a.conf
这是我的 NGINXwebsitea.conf
服务器10.0.0.8
。服务器的10.0.0.12
主要区别仅在于 IP 地址。
server {
listen 10.0.0.8:443 ssl http2;
server_name websitea.com;
# SSL
ssl_certificate /etc/nginx/ssl/websitea-bundle-full.crt;
ssl_certificate_key /etc/nginx/ssl/websitea-private.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# DH parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/websitea.access.log main_ext;
error_log /var/log/nginx/websitea.errors.log warn;
....
}
网站b.conf
server {
listen 10.0.0.8:443 ssl http2;
server_name websiteb.com;
# SSL
ssl_certificate /etc/nginx/ssl/websiteb-bundle-full.crt;
ssl_certificate_key /etc/nginx/ssl/websiteb-private.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# DH parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/websitea.access.log main_ext;
error_log /var/log/nginx/websitea.errors.log warn;
....
}
答案1
对于与 websiteb => websitea 相关的重定向,我实在看不出原因。请检查:
正确证明:内容真的有错还是只是证书有错?如果只有证书,请检查与加载证书相关的 haproxy 日志,以及直接证书 - CN、SubjectAlternativeName、Validity;以及证书文件的权限
内容:如果内容错误,我预计重定向来自后端/服务器。在这种情况下,请检查 nginx 配置(在问题中它被减少了),因为我猜测重定向不是由 haproxy 实现的。
正如我在评论中已经写过的,有一个空间可以让它稍微小一点,但行为相同。特别是redirect scheme https if !{ ssl_fc }
导致从 http 重定向到 https(确切地说,如果它不安全/不是 https - SSL 或 TLS,它会重定向到 https)。由于您在后端为 http 执行此操作,因此不需要“跳转”到后端,因为这可以直接在前端完成。
除此之外,您还可以拥有一个具有更多bind
选项的前端,这样您就可以拥有一个前端,您可以在其中进行定义并强制使用 https。我没有检查您的所有选项以及您在那里使用的原因,我只是“调整”了必要的东西以将它们组合在一起:
在一个前端同时使用 http/https
bind :*80 bind *:443 ssl crt /etc/hapr...
从选定文件夹加载所有证书(无需列出所有证书)
... ssl crt /etc/haproxy/ssl/ ...
至少让它有点安全(一旦它公开可用,你可以使用以下方式检查设置ssllabs网页)
... no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
强制所有流量受到保护
redirect scheme https if !{ ssl_fc }
您的配置可能需要进行以下更改:
global
...
tune.ssl.default-dh-param 2048
defaults
....
listen stats :4444
...
frontend web
mode http
bind *:80
bind *:443 ssl crt /etc/haproxy/ssl/ no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
redirect scheme https if !{ ssl_fc }
default_backend https-in
backend https-in
mode http
balance roundrobin
stick-table type ip size 200k expire 30m
stick on src
default-server inter 1s
server web01 10.0.0.8:443 check ssl verify none
server web02 10.0.0.12:443 check ssl verify none
不需要其他前端或后端。
答案2
已解决,主要问题是我连续两次定义证书。证书不应在 Nginx 配置中定义,而应在 Haproxy 配置中定义。