问题:
我正在尝试构建一个带有 SSL 终端的正向代理,并将其进一步上游到我的代理服务器,例如:TOR。我的上游代理服务是非 https 的。
客户端 -> 网络-Haproxy -> 上行代理 -> 互联网
我可以很容易地在tcp不终止 SSL 的情况下在 HAproxy 模式下成功,但是当我终止 SSL 并转发时,事情就不起作用了。
遵循的步骤:
我按照以下步骤生成自认证 SSL 证书。
$ openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout haproxy-ca-key.pem -out haproxy-ca-cert.pem -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
将它们组合起来以创建最终.pem文件
$ cat haproxy-ca-cert.pem haproxy-ca-key.pem >> mysite.pem
上述文件在我的系统中用于haproxy.cfgssl 终止。
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth user:password
frontend www.mysite.com
mode http
bind 0.0.0.0:8443
bind 0.0.0.0:443 ssl crt /home/ubuntu/haproxy/mysite.pem crt-ignore-err all
redirect scheme https if !{ ssl_fc }
default_backend web_servers
backend web_servers
mode http
balance roundrobin
server server1 xx.xx.xx.xx:xxxx #my upstream server which is not ssl protected
当我尝试从客户端机器 curl 以使用上述代理时,出现以下错误。
$ curl -k --proxy https://my-haproxy-server:443 --cacert haproxy-ca-cert.pem https://httpbin.org/ip -vvv
* Trying my-haproxy-server...
* TCP_NODELAY set
* Connected to my-haproxy-server (my-haproxy-server) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
如果你读过这个cfg文件,你就会发现我已重定向:8443到:443,所以我可以向非代理发送请求https,但这也不起作用
$ curl -k --proxy http://my-haproxy-server:8443 --cacert haproxy-ca-cert.pem https://httpbin.org/ip -vvv
* Trying my-haproxy-server...
* TCP_NODELAY set
* Connected to my-haproxy-server (my-haproxy-server) port 8443 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to httpbin.org:443
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 302 Found
< content-length: 0
< location: https://httpbin.org:443/
< cache-control: no-cache
< connection: close
<
* Received HTTP code 302 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 302 from proxy after CONNECT
任何线索都将不胜感激。
额外信息:
- HAPROXY:HA-Proxy 版本 2.0.13-1ppa1~bionic 2020/02/15 -https://haproxy.org/
- OPENSSL:OpenSSL 1.1.1 2018 年 9 月 11 日
- CURL: curl 7.58.0(x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1(+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3