我整晚都在网上搜索试图找出这个问题。
所以基本上我安装了一个 HA 代理实例来用作反向代理。
这是我的简单 haproxy.conf 配置:
global
log 127.0.0.1:514 local0 info
log 127.0.0.1:514 local1 notice
stats socket /run/haproxy/admin.sock mode 660 level admin
maxconn 4096
user root
group root
daemon
defaults
log global
mode http
option forwardfor
option httplog
#option dontlognull
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
frontend localhost
log 127.0.0.1:514 local0 debug
bind *:80
mode http
use_backend web1 if { hdr(host) -i shlomitest1.prv.co.il }
use_backend web1 if { hdr(host) -i shlomitest.prv.co.il }
use_backend web2 if { hdr(host) -i cba.com }
use_backend web2 if { hdr(host) -i fed.com }
default_backend web1
backend web1
server web1 192.168.30.109:80
backend web2
server web2 google.com:80
HAProxy 内部 IP:192.168.30.120
HAProxy 外部 IP:212.xx102 通过 NAT 转为内部
Apache 服务器 IP:192.168.30.109
我的工作站内部IP:192.168.30.102
我的工作站外部 IP:212.199.xx.xxx
检查点策略和 NAT:
策略规则 -
NAT 规则
防火墙中的所有数据包都被接受,没有被阻止。现在有两种情况:
- 在局域网中测试(成功):shlomitest1.prv.co.il 指向 192.168.30.120。
HAProxy 日志:
Mar 26 11:37:21 localhost haproxy[14836]: 192.168.30.102:36969 [26/Mar/2019:11:37:21.576] localhost web1/web1 0/0/0/1/1 302 196 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Mar 26 11:37:21 localhost haproxy[14836]: 192.168.30.102:36969 [26/Mar/2019:11:37:21.576] localhost web1/web1 0/0/0/1/1 302 196 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
TCPDump 日志:
11:39:56.935968 IP 192.168.30.102.37046 > 192.168.30.120.80: Flags [P.], seq 444:887, ack 197, win 260, length 443: HTTP: GET / HTTP/1.1
11:39:56.936182 IP 192.168.30.120.46226 > 192.168.30.109.80: Flags [S], seq 2799547699, win 14600, options [mss 1460,sackOK,TS val 13556286 ecr 0,nop,wscale 7], length 0
11:39:56.936303 IP 192.168.30.109.80 > 192.168.30.120.46226: Flags [S.], seq 3484873804, ack 2799547700, win 28960, options [mss 1460,sackOK,TS val 467474707 ecr 13556286,nop,wscale 7], length 0
11:39:56.936313 IP 192.168.30.120.46226 > 192.168.30.109.80: Flags [.], ack 1, win 115, options [nop,nop,TS val 13556286 ecr 467474707], length 0
11:39:56.936406 IP 192.168.30.120.46226 > 192.168.30.109.80: Flags [P.], seq 1:453, ack 1, win 115, options [nop,nop,TS val 13556286 ecr 467474707], length 452: HTTP: GET / HTTP/1.1
11:39:56.936461 IP 192.168.30.109.80 > 192.168.30.120.46226: Flags [.], ack 453, win 235, options [nop,nop,TS val 467474707 ecr 13556286], length 0
11:39:56.936952 IP 192.168.30.109.80 > 192.168.30.120.46226: Flags [P.], seq 1:197, ack 453, win 235, options [nop,nop,TS val 467474707 ecr 13556286], length 196: HTTP: HTTP/1.1 302 Found
11:39:56.936957 IP 192.168.30.120.46226 > 192.168.30.109.80: Flags [.], ack 197, win 123, options [nop,nop,TS val 13556286 ecr 467474707], length 0
11:39:56.937045 IP 192.168.30.120.80 > 192.168.30.102.37046: Flags [P.], seq 197:393, ack 887, win 131, length 196: HTTP: HTTP/1.1 302 Found
11:39:57.165921 IP 192.168.30.102.37046 > 192.168.30.120.80: Flags [.], ack 393, win 259, length 0
11:40:01.942176 IP 192.168.30.109.80 > 192.168.30.120.46226: Flags [F.], seq 197, ack 453, win 235, options [nop,nop,TS val 467475958 ecr 13556286], length 0
11:40:01.942268 IP 192.168.30.120.46226 > 192.168.30.109.80: Flags [F.], seq 453, ack 198, win 123, options [nop,nop,TS val 13557537 ecr 467475958], length 0
11:40:01.942394 IP 192.168.30.109.80 > 192.168.30.120.46226: Flags [.], ack 454, win 235, options [nop,nop,TS val 467475958 ecr 13557537], length 0
- 从 WAN 进行测试(不成功):shlomitest.prv.co.il 指向 212.xx102。
HAProxy 日志:
ar 26 11:30:51 localhost haproxy[14836]: 212.199.xx.xxx:55328 [26/Mar/2019:11:30:01.256] localhost localhost/<NOSRV> -1/-1/-1/-1/50002 408 212 - - cR-- 0/0/0/0/0 0/0 "<BADREQ>"
Mar 26 11:30:51 localhost haproxy[14836]: 212.199.xx.xxx:55328 [26/Mar/2019:11:30:01.256] localhost localhost/<NOSRV> -1/-1/-1/-1/50002 408 212 - - cR-- 0/0/0/0/0 0/0 "<BADREQ>"
TCPDump 日志:
11:45:21.216879 IP 212.199.xx.xxx.56486 > 192.168.30.120.80: Flags [S], seq 4078768598, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:45:21.216917 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [S.], seq 169139328, ack 4078768599, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:45:21.222820 IP 212.199.xx.xxx.56486 > 192.168.30.120.80: Flags [.], ack 1, win 256, length 0
11:45:42.520396 IP 212.199.xx.xxx.56486 > 192.168.30.120.80: Flags [R.], seq 421, ack 1, win 0, length 0
11:45:42.520422 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [.], ack 1, win 115, length 0
11:46:11.224424 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
11:46:11.430474 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
11:46:11.846588 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
11:46:12.678507 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
11:46:14.346492 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
11:46:17.678470 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
11:46:24.350533 IP 192.168.30.120.80 > 212.199.xx.xxx.56486: Flags [F.], seq 1:213, ack 1, win 115, length 212: HTTP: HTTP/1.0 408 Request Time-out
这确实是我设法收集的所有信息。
我现在很迷茫,因为我已经尝试了所有能尝试的方法 :X
感谢任何帮助!
谢谢