HAProxy 反向代理配置 - 根据子域选择后端

HAProxy 反向代理配置 - 根据子域选择后端

我花了很长时间尝试让简单的反向代理根据 URL 选择后端。

503 Service Unavailable. No server is available to handle this request.当我尝试这个时我一直收到错误。

任何帮助,将不胜感激!

我想输入 nc.mydomain.com 并将我的请求转发到我的 nextcloud 服务器(稍后我会添加其他子域和域)。这是我的配置:

haproxy.cfg

global
    log /dev/log    local0
    log /dev/log    local1 notice
    daemon
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3 no-tlsv10

defaults
    mode http
    log global
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
    option forwardfor if-none

frontend for-letsencrypt
    bind :80
    acl isletsencrypt path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if isletsencrypt

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8888

frontend public-web-in
    mode http
    bind :80
    bind :443 ssl crt /etc/letsencrypt/live/nc.mydomain.com/nc-haproxy.pem alpn h2,http/1.1
    redirect scheme https if !{ ssl_fc }
    acl isnextcloud req.hdr(Host) -i -m str nc.mydomain.com
    use_backend ncserver if isnextcloud
    default_backend myrouter

backend ncserver
    description My Nextcloud server
    server nc1 192.168.1.28:80 send-proxy ssl verify none

backend myrouter
    description My default backend server
    server router 192.168.1.1:80 send-proxy

我将日志记录级别设置为调试,这是来自/var/log/haproxy.log

Jan 31 10:36:58 haproxy haproxy[3706]: [WARNING] 030/103658 (3706) : Exiting Master process...
Jan 31 10:36:58 haproxy haproxy[3706]: [ALERT] 030/103658 (3706) : Current worker #1 (3707) exited with code 143 (Terminated)
Jan 31 10:36:58 haproxy haproxy[3706]: [WARNING] 030/103658 (3706) : All workers exited. Exiting... (143)
Jan 31 10:36:58 haproxy haproxy[4964]: [WARNING] 030/103658 (4964) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy for-letsencrypt started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy for-letsencrypt started.
Jan 31 10:36:58 haproxy haproxy[4964]: [NOTICE] 030/103658 (4964) : New worker #1 (4965) forked
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy letsencrypt-backend started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy letsencrypt-backend started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy public-web-in started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy public-web-in started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy ncserver started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy ncserver started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy myrouter started.
Jan 31 10:36:58 haproxy haproxy[4964]: Proxy myrouter started.
Jan 31 10:37:42 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:39.272] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 1/1/0/0/3 0/0 "GET / HTTP/1.1"
Jan 31 10:37:42 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:39.272] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 1/1/0/0/3 0/0 "GET / HTTP/1.1"
Jan 31 10:37:45 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:42.764] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 1/1/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"
Jan 31 10:37:45 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:42.764] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 1/1/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"

Jan 31 10:38:42 haproxy haproxy[4964]: [WARNING] 030/103842 (4964) : Exiting Master process...
Jan 31 10:38:42 haproxy haproxy[4964]: [ALERT] 030/103842 (4964) : Current worker #1 (4965) exited with code 143 (Terminated)
Jan 31 10:38:42 haproxy haproxy[4964]: [WARNING] 030/103842 (4964) : All workers exited. Exiting... (143)
Jan 31 10:38:42 haproxy haproxy[4977]: [WARNING] 030/103842 (4977) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy for-letsencrypt started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy for-letsencrypt started.
Jan 31 10:38:42 haproxy haproxy[4977]: [NOTICE] 030/103842 (4977) : New worker #1 (4978) forked
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy letsencrypt-backend started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy letsencrypt-backend started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy public-web-in started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy public-web-in started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy ncserver started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy ncserver started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy myrouter started.
Jan 31 10:38:42 haproxy haproxy[4977]: Proxy myrouter started.
Jan 31 10:38:50 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:47.493] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1"
Jan 31 10:38:50 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:47.493] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1"
Jan 31 10:38:53 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:50.563] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"
Jan 31 10:38:53 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:50.563] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"
Jan 31 10:39:33 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:30.343] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1"
Jan 31 10:39:33 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:30.343] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1"
Jan 31 10:39:36 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:33.489] public-web-in~ ncserver/nc1 0/0/-1/-1/3004 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"
Jan 31 10:39:36 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:33.489] public-web-in~ ncserver/nc1 0/0/-1/-1/3004 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1"
Jan 31 10:40:04 haproxy haproxy[4978]: 123.45.67.890:49065 [31/Jan/2019:10:40:01.584] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1"
Jan 31 10:40:04 haproxy haproxy[4978]: 123.45.67.890:49065 [31/Jan/2019:10:40:01.584] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1"
Jan 31 10:40:06 haproxy haproxy[4978]: 123.45.67.890:55079 [31/Jan/2019:10:40:03.805] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "PROPFIND /remote.php/dav/files/sarah/ HTTP/1.1"
Jan 31 10:40:06 haproxy haproxy[4978]: 123.45.67.890:55079 [31/Jan/2019:10:40:03.805] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "PROPFIND /remote.php/dav/files/sarah/ HTTP/1.1"
Jan 31 10:40:11 haproxy haproxy[4978]: 123.45.67.890:44558 [31/Jan/2019:10:40:11.772] public-web-in/2: SSL handshake failure
Jan 31 10:40:11 haproxy haproxy[4978]: 123.45.67.890:44558 [31/Jan/2019:10:40:11.772] public-web-in/2: SSL handshake failure
Jan 31 10:40:14 haproxy haproxy[4978]: 123.45.67.890:54795 [31/Jan/2019:10:40:11.880] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 4/4/2/0/3 0/0 "GET /status.php HTTP/1.1"
Jan 31 10:40:14 haproxy haproxy[4978]: 123.45.67.890:54795 [31/Jan/2019:10:40:11.880] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 4/4/2/0/3 0/0 "GET /status.php HTTP/1.1"
Jan 31 10:40:16 haproxy haproxy[4978]: 123.45.67.890:39289 [31/Jan/2019:10:40:13.649] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1"
Jan 31 10:40:16 haproxy haproxy[4978]: 123.45.67.890:39289 [31/Jan/2019:10:40:13.649] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1"
Jan 31 10:40:20 haproxy haproxy[4978]: 123.45.67.890:52104 [31/Jan/2019:10:40:17.071] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1"
Jan 31 10:40:20 haproxy haproxy[4978]: 123.45.67.890:52104 [31/Jan/2019:10:40:17.071] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1"

答案1

SSL 握手失败看起来发生在代理的前端,可能无关。

这里最有价值的信息是SC--——这个字段被称为断开连接时的会话状态这里提供的信息的价值是无可估量的。成功请求时设置为----

该值SC--意味着您的后端服务器拒绝目标端口上的连接,并且问题发生得很早,在 HTTP 请求可以通过连接发送到后端之前(这很合理,因为没有建立连接)。

请注意,对于这个后端,你似乎已经ssl配置了,因此服务器的地址大概应设置为端口 443,而不是 80。

您尚未在后端启用任何健康检查,因此 HAProxy 不知道它已关闭/无法访问/已停止/无法访问/配置错误/受防火墙保护,并尝试向其发送请求。

当然,这些都会失败,并且 HAProxy 会将内容写入/etc/haproxy/errors/503.http网络以向客户端发出失败信号。

无关,请确保您理解其send-proxy含义。如果您需要,这是一个很棒的功能,但严格来说,您的配置中不需要此功能,因为您正在以第 7 层模式运行代理。您可以直接添加option forwardfor以设置X-Forwarded-For标头。

相关内容