我们目前正在使用 HAproxy 将传入到我们域的流量重定向example.domain到我们的容器,这些容器只能通过本地接口访问(例如127.0.0.1:12000:8080
为了实现这一点,我们当前的配置如下所示:
defaults
mode http
timeout connect 5000
timeout check 5000
timeout client 20000
timeout server 20000
frontend domain
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/domain.cert
bind *:11000-11199 ssl crt /etc/haproxy/certs/domain.cert
http-request redirect scheme https unless { ssl_fc } # ssl_fc returns true if the request is already using SSL
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Ports 11000-11099 are reserved for secure traffic
acl secure_0_host dst_port 11000
acl secure_1_host dst_port 11001
# Ports 11100-11199 are reserved for insecure traffic
acl insecure_0_host dst_port 11100
acl insecure_1_host dst_port 11101
# Secure Backends
use_backend secure_0 if secure_0_host
use_backend secure_1 if secure_1_host
# Insecure Backends
use_backend insecure_0 if insecure_0_host
use_backend insecure_1 if insecure_1_host
# Fallback Backend
default_backend fallback_backend
backend fallback_backend
http-request redirect location https://example.domain code 302
# Secure Backends
backend secure_0
server secure_0 127.0.0.1:12000 ssl verify none
backend secure_1
server secure_1 127.0.0.1:12001 ssl verify none
# Insecure Backends
backend insecure_0
server insecure_0 127.0.0.1:12100
backend insecure_1
server insecure_1 127.0.0.1:12101
这个设置确实有效,但是手动添加每个端口映射确实很繁琐,而且它也让我有点烦恼,我必须12000-12099为docker容器使用不同的端口(),而不是用HAproxy监听。
是否有可能仅告诉配置,给定的 portrange( 11000-11099) 应该传递给127.0.0.1:11000-11099?
答案1
可以尝试这个https://www.haproxy.com/documentation/hapee/latest/configuration/binds/syntax/这与使用 acls 的端口范围略有不同...或者只是为每个端口范围设置不同的前端,就像文档显示的那样