我遇到了一个问题,这个问题困扰了我好几个星期,我有一个 HAProxy LB + 2 个 Web 服务器。我们的想法是能够知道访问 haproxy 节点的计算机的真实 IP,为此我有以下配置:
LB : 10.0.0.1 - haproxy.example.test
Web1 : 10.0.0.2 - web1.example.test
Web2 : 10.0.0.3 - web2.example.test
证书位于每个 Web 节点上,除未传递标头外,其余工作正常。
haproxy配置文件
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
option forwardfor
option httplog
# option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http_front
bind *:80
stats uri /haproxy?stats
default_backend http_back
frontend https_front
bind *:443
default_backend https_back
backend http_back
balance roundrobin
mode http
http-request add-header X-CLIENT-IP %[src]
http-request set-header X-Request-Start t=%Ts%ms
server web1 10.0.0.2:80 check
server web2 10.0.0.3:80 check
backend https_back
balance roundrobin
mode tcp
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forward-For %[src]
http-request add-header X-CLIENT-IP %[src]
http-request set-header X-Request-Start t=%Ts%ms
server webs1 10.0.0.2:443 check
server webs2 10.0.0.3:443 check
如果我使用 HTTP 访问 10.0.0.1(haproxy.example.test),我会得到预期的标头:
HTTP_X_CLIENT_IP 65.28.121.161
HTTP_X_REQUEST_START t=1557918661669
HTTP_X_FORWARDED_FOR 65.28.121.161
但是如果我使用 HTTPS 访问,这些标头都不会传递给 Apache...
我尝试了所有方法,但还是没能解决,在 Google 上搜索了数周,但都没有成功。有人知道为什么会发生这种情况吗?
更新:
感谢您为我指明正确的方向,解决方案通过以下配置:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
option forwardfor
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend localhost
bind *:80
bind *:443 ssl crt /etc/haproxy/haproxy.crt
mode http
redirect scheme https if !{ ssl_fc }
default_backend nodes
backend nodes
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 10.0.0.2:80 check
server web02 10.0.0.3:80 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
HAProxy 将协商安全连接并将流量作为 http(而不是 https)传递到 Web 服务器。
它基于这篇精彩的文章https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
干杯,
雨果·费雷拉
答案1
最终配置
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
option forwardfor
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend localhost
bind *:80
bind *:443 ssl crt /etc/haproxy/haproxy.crt
mode http
redirect scheme https if !{ ssl_fc }
default_backend nodes
backend nodes
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 10.0.0.2:80 check
server web02 10.0.0.3:80 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
HAProxy 将协商安全连接并将流量作为 http(而不是 https)传递到 Web 服务器。
它基于这篇精彩的文章https://serversforhackers.com/c/using-ssl-certificates-with-haproxy