Haproxy 帮助自定义端口上的 https 请求

Haproxy 帮助自定义端口上的 https 请求

我们希望在 kubernetes 上使用 haproxy ingress 1.7 来监听 55560 端口的 https 连接。

您能在这方面提供协助吗?

这是我的 haproxy.cfg 文件。尝试访问时,出现 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL 连接错误。

443 上的 Https 工作正常。

问候,Kalyan

# _version=5
# HAProxy Technologies
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under haproxy ingress controller management

global 
  localpeer local
  master-worker
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 1m
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  log stdout format raw daemon
  server-state-file global
  server-state-base /var/state/haproxy/

defaults 
  log global
  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
  option redispatch
  option dontlognull
  option http-keep-alive
  timeout http-request 5s
  timeout connect 5s
  timeout client 50s
  timeout queue 5s
  timeout server 50s
  timeout tunnel 1h
  timeout http-keep-alive 1m
  load-server-state-from-file global

peers localinstance 
  peer local 127.0.0.1:10000

frontend healthz 
  mode http
  bind 0.0.0.0:1042 name v4
  bind :::1042 name v6 v4v6
  monitor-uri /healthz
  option dontlog-normal

frontend http 
  mode http
  bind 0.0.0.0:80 name v4
  bind :::80 name v6
  tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend default-default-ingress-default-backend-port-1

frontend https 
  mode http
  bind 127.0.0.1:443 name v4 accept-proxy
  bind ::1:443 name v6 v4v6 accept-proxy
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  http-request set-header X-Forwarded-Proto https
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend default-default-ingress-default-backend-port-1

frontend ssl 
  mode tcp
  bind 0.0.0.0:443 name v4
  bind :::443 name v6 v4v6
  log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs haproxy.MAP_SNI: %[var(sess.sni)]'
  tcp-request content reject if !{ req_ssl_hello_type 1 }
  tcp-request inspect-delay 50000
  tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
  tcp-request content set-var(sess.sni) req_ssl_sni
  tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map)
  tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map)
  use_backend %[var(txn.sni_match),field(1,.)]
  default_backend ssl

frontend stats 
  mode http
  bind *:1024
  bind :::1024 name v6
  stats enable
  stats uri /
  stats refresh 10s
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }

frontend tcp-55560 
  mode tcp
  bind 0.0.0.0:55560 name v4
  bind :::55560 name v6 v4v6
  option tcplog
  default_backend default-rapid-po-service-55560

backend default-ic-http-service-80 
  mode http
  balance roundrobin
  option forwardfor
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxxx.com:80 check weight 128

backend default-default-ingress-default-backend-port-1 
  mode http
  balance roundrobin
  option forwardfor
  server SRV_1 10.119.58.166:8080 check weight 128
  server SRV_2 127.0.0.1:8080 disabled check weight 128

backend default-rapid-po-service-55560 
  mode tcp
  balance roundrobin
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxx:55560 check weight 128

backend default-rapid-service-44448 
  mode tcp
  balance roundrobin
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxx:44448 check weight 128

backend default-sample-http-service-80 
  mode http
  balance roundrobin
  option forwardfor
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxxxx:80 check weight 128

backend default-sample-https-service-443 
  mode tcp
  balance roundrobin
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxxxx:443 check weight 128

backend ssl 
  mode tcp
  server https 127.0.0.1:443 send-proxy-v2

相关内容