HAProxy 没有通过 HTTPS 传递标头

HAProxy 没有通过 HTTPS 传递标头

我遇到了一个问题,这个问题困扰了我好几个星期,我有一个 HAProxy LB + 2 个 Web 服务器。我们的想法是能够知道访问 haproxy 节点的计算机的真实 IP,为此我有以下配置:

LB : 10.0.0.1 - haproxy.example.test
Web1 : 10.0.0.2 - web1.example.test
Web2 : 10.0.0.3 - web2.example.test

证书位于每个 Web 节点上,除未传递标头外,其余工作正常。

haproxy配置文件

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   option forwardfor
   option httplog
#   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000

frontend http_front
   bind *:80
   stats uri /haproxy?stats
   default_backend http_back

frontend https_front
   bind *:443
   default_backend https_back

backend http_back
   balance roundrobin
   mode http
   http-request add-header X-CLIENT-IP %[src]
   http-request set-header X-Request-Start t=%Ts%ms
   server web1 10.0.0.2:80 check
   server web2 10.0.0.3:80 check

backend https_back
   balance roundrobin
   mode tcp
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   http-request set-header X-Forward-For %[src]
   http-request add-header X-CLIENT-IP %[src]
   http-request set-header X-Request-Start t=%Ts%ms
   server webs1 10.0.0.2:443 check
   server webs2 10.0.0.3:443 check

如果我使用 HTTP 访问 10.0.0.1(haproxy.example.test),我会得到预期的标头:

HTTP_X_CLIENT_IP    65.28.121.161
HTTP_X_REQUEST_START    t=1557918661669
HTTP_X_FORWARDED_FOR    65.28.121.161

但是如果我使用 HTTPS 访问,这些标头都不会传递给 Apache...

我尝试了所有方法,但还是没能解决,在 Google 上搜索了数周,但都没有成功。有人知道为什么会发生这种情况吗?

更新

感谢您为我指明正确的方向,解决方案通过以下配置:

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   option forwardfor
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000


frontend localhost
    bind *:80
    bind *:443 ssl crt /etc/haproxy/haproxy.crt
    mode http
    redirect scheme https if !{ ssl_fc }
    default_backend nodes

backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 10.0.0.2:80 check
    server web02 10.0.0.3:80 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

HAProxy 将协商安全连接并将流量作为 http(而不是 https)传递到 Web 服务器。

它基于这篇精彩的文章https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

干杯,

雨果·费雷拉

答案1

最终配置

   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   option forwardfor
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000


frontend localhost
    bind *:80
    bind *:443 ssl crt /etc/haproxy/haproxy.crt
    mode http
    redirect scheme https if !{ ssl_fc }
    default_backend nodes

backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 10.0.0.2:80 check
    server web02 10.0.0.3:80 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

HAProxy 将协商安全连接并将流量作为 http(而不是 https)传递到 Web 服务器。

它基于这篇精彩的文章https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

相关内容