我尝试使用 haproxy 将请求代理到具有真正过时的 SSL/密码的旧 LDAP 服务器..但 ldapsearch 总是返回错误:
ldap_result: Can't contact LDAP server (-1)
这是我的 haproxy 配置:
global
log stdout format raw local0 debug
frontend ldap-636
bind 0.0.0.0:636 ssl crt /cert.pem no-sslv3 no-tlsv10 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
mode tcp
option socket-stats
option tcplog
option tcpka
timeout client 10s
default_backend ldap-636-origin
backend ldap-636-origin
log stdout format raw local0 debug
server DC-NODE-01 172.16.17.77:636 no-check ciphers ALL:NULL:eNULL:aNULL:RC4-MD5:@SECLEVEL=0 ca-file /ca-certificates/ca-cert.pem
#server DC-NODE-01 172.16.17.77:389 check fall 3 rise 2 inter 5000 weight 10
mode tcp
stick-table type ip size 200k expire 30m
timeout server 12s
timeout tunnel 10s
timeout connect 10s
后端服务器使用 SSLv3/TLSv1.0 和 RC4-MD5 密码。我首先尝试使用 haproxy 的官方 Docker Build,但容器中附带的 OpenSSL 未编译为支持这些旧密码。我修补了 haproxy 的 Dockerfile 并构建了自己的镜像,其中包括一个自编译版本的 openssl,支持旧密码:
# vim:set ft=dockerfile:
FROM alpine:3.11
ENV HAPROXY_VERSION 2.1.2
ENV HAPROXY_URL https://www.haproxy.org/download/2.1/src/haproxy-2.1.2.tar.gz
ENV HAPROXY_SHA256 6079b08a8905ade5a9a2835ead8963ee10a855d8508a85efb7181eea2d310b77
# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
RUN set -x \
\
&& apk add --no-cache --virtual .build-deps \
ca-certificates \
gcc \
perl \
libc-dev \
linux-headers \
lua5.3-dev \
make \
pcre2-dev \
readline-dev \
tar \
zlib-dev \
libxml2-dev
RUN wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz \
&& tar -zxvf openssl-1.1.0l.tar.gz
RUN cd openssl-1.1.0l/ && ./config --prefix=/usr/local --openssldir=/etc/ssl --libdir=lib \
shared enable-weak-ssl-ciphers enable-ssl3 enable-tls1 enable-deprecated enable-rc4 enable-ssl3-method -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
RUN cd openssl-1.1.0l/ && make
RUN cd openssl-1.1.0l/ && make install
RUN wget -O haproxy.tar.gz "$HAPROXY_URL" \
&& echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c \
&& mkdir -p /usr/src/haproxy \
&& tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1 \
&& rm haproxy.tar.gz \
\
&& makeOpts=' \
TARGET=linux-glibc \
USE_GETADDRINFO=1 \
USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 \
USE_OPENSSL=1 SSL_INC=/usr/local/include SSL_LIB=/usr/local/lib ADDLIB=-ldl \
USE_PCRE2=1 USE_PCRE2_JIT=1 \
USE_ZLIB=1 \
\
EXTRA_OBJS=" \
# see https://github.com/docker-library/haproxy/issues/94#issuecomment-505673353 for more details about prometheus support
contrib/prometheus-exporter/service-prometheus.o \
" \
' \
&& nproc="$(getconf _NPROCESSORS_ONLN)" \
&& eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts" \
&& eval "make -C /usr/src/haproxy install-bin $makeOpts" \
\
&& mkdir -p /usr/local/etc/haproxy \
&& cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors \
&& rm -rf /usr/src/haproxy \
\
&& runDeps="$( \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
)" \
&& apk add --no-network --virtual .haproxy-rundeps $runDeps \
&& apk del --no-network .build-deps
# https://www.haproxy.org/download/1.8/doc/management.txt
# "4. Stopping and restarting HAProxy"
# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
STOPSIGNAL SIGUSR1
ENV LDAPTLS_REQCERT=never
COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
(我没有使用最新的 openssl 版本,因为它没有在容器中编译)
我仍然无法让 haproxy 连接到 ldap 服务器。我可以从容器内部验证与旧 LDAP 服务器的 openssl 连接:
openssl s_client -cipher "ALL:NULL:RC4-MD5:@SECLEVEL=0" -connect 172.16.17.77:636 -ssl3 -CAfile ...
haproxy 对连接的实际问题不太关心(我得到不日志输出)。
但是...如果我更改 haproxy 配置以使用与 LDAP 服务器的未加密连接,它就会立即起作用。
有人可以提示我这可能是什么吗或者我该如何进一步调试它?