Haproxy 配置http https ws wss
-
- 1 證書生成
- 2 haproxy.cnf
大家好! 最近因公司業務需求。使用HAproxy充當網關功能,并支援https協定及wss協定(後端服務不再需要做證書處理)。網上找了一些資料,可惜很難找到一個全面的haproxy.cnf模闆。經過1天的沉澱,最終将http https ws wss 整合同一個配置檔案,同時對外提供服務。現跟大家分享
1 證書生成
#前提條件 先檢視haproxy是否支援openssl。如果沒有重新編譯安裝
haproxy -vv
make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz
ldd haproxy | grep ssl
#1 生成.csr .key .crt 檔案
sudo openssl x509 -req -days 365 -in /etc/ssl/xip.io/xip.io.csr -signkey /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.crt
#2 建立servername.pem 證書檔案
vi /etc/ssl/certs/servername.pem
#内容=/etc/ssl/xip.io/xip.io.crt内容 + /etc/ssl/xip.io/xip.io.key内容
-----BEGIN CERTIFICATE-----
MIIB+zCCAWQCCQCEkx8gEiAJ5DANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMB4XDTE5MTEyNTA5MjYzOVoXDTIwMTEyNDA5MjYzOVowQjELMAkGA1UE
BhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBD
b21wYW55IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArx1Vkq6+G/i1
AvWoEWSiepBt/OigypnFiq9XJkswrl30eP+6Tg+clHaIc3oR2Cf+zVvEa7t0dxLJ
Gi3i5DdM2sAdR0ATvnND2sy9Ktp+RUokg7Wql2LdVe0Qx1ZyBW3Tt8FSyvVIdRjG
CYb5P82ItQCU8ZC9zra4SASkj//b3AsCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj
PJe01Wsldx3idq4S8VkJ2aJwPVSof5VofOuFOzb9Y18nIguRzJJsQQeaUAf45LvF
a16AO0isRvor389U3rm6HI//4Wjzeoe0rG2890naQBK1kV7RWyywHvP+ijN2UMA0
ve6COpThkTUDR1As7YXmjOhONeT35hG70TXEHbKIBw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvHVWSrr4b+LUC9agRZKJ6kG386KDKmcWKr1cmSzCuXfR4/7pO
D5yUdohzehHYJ/7NW8Rru3R3EskaLeLkN0zawB1HQBO+c0PazL0q2n5FSiSDtaqX
Yt1V7RDHVnIFbdO3wVLK9Uh1GMYJhvk/zYi1AJTxkL3OtrhIBKSP/9vcCwIDAQAB
AoGBAIgVArf/hYsVJg2Lu7TwgHdAn8iHOtTW1LVmdxIyIj2Ok/onuK8K4MJarsUW
WqGgyxjpNGYIAYS7G351pDl3ZAfb9VhGnOJOXgh+4Fp7Lkm4I7e3iN3DExZeUUZ7
9zbu1IM/prF4CUqvyQ8DBouIojhY045gjk3Zb/To5jbHcbnJAkEA6JuSTxdf3oy7
I1xH/Uxf5aIyj0VTAU4SVP3Ogkjrixa7iaMg11JicBt++f65jXPnzjW/16NF3ob0
VbVeYDCOVwJBAMC5ndbbUecN8FoHey6+IPnRMK/YXWYYKVKtt4/lTsunYB2O5T3H
5RUNFr4Hy/+kM14Ij0XMyTdtf6bbIRaAJ20CQDS5Zq2Ex9dDIPv/49V3ZVlAraMp
/ImUL7WSHigL7VAGpBWrozsLUoLEyMBTy61Tc1ybdFOlj6XEA0gWJ0E4YFsCQQCe
KndwMnRoFJdxu3wL43u6qkSzu/UC6cdYFDt2u7FMD+QgvfpDFr9Z5HEKqelwtzh0
7r9ugF+Ovq2pqWLhTXGNAkArvKE2HrJf4imOrPoKFoEfNgFL78dDuN+oib4tKd+t
Wd3RKLHC/CJ3N0fsl7X8ar2qd8wJOpGXUKbvdUzvpABP
-----END RSA PRIVATE KEY-----
2 haproxy.cnf
global
log 127.0.0.1 local3
maxconn 20480
chroot /usr/local/haproxy
uid 1004 #1004為haproxy 使用者的uid ,haproxy使用者需要自己手動建立
gid 1004
daemon
quiet
nbproc 1
pidfile /var/run/haproxy.pid
defaults
log global
mode http
maxconn 20480
option httplog
option httpclose
option http-pretend-keepalive
option forwardfor
option dontlognull
option redispatch
retries 3
balance roundrobin
# balance url_param userid
stats uri /haproxy-stats
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen http_queue
bind *:10535
mode http
http-request set-header http_req yes
balance roundrobin
option httplog
option dontlognull
option logasap
option forwardfor
option httpclose
option http-pretend-keepalive
server http_queue1 192.168.15.56:10535 cookie 1 check inter 2000 rise 3 fall 3
server http_queue2 192.168.10.139:10535 cookie 1 check inter 2000 rise 3 fall 3
frontend https_queueservice
bind *:20535 ssl crt /etc/ssl/certs/servername.pem
mode http
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
reqadd X-Forwarded-Proto:\ https
default_backend https_queueservice
option httpclose
#option http-pretend-keepalive
#option httpchk GET /TLS/healthcheck HTTP/1.1\r\nHost:\
#http-check expect status 200
#option httpchk GET /index.html
backend https_queueservice
mode http
balance roundrobin
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
cookie SERVERID insert indirect nocache
server queueservice_1 192.168.15.56:10535 cookie 1 check inter 2000 rise 3 fall 3
listen http_smagent
bind *:11802
mode http
balance roundrobin
option httplog
option dontlognull
option logasap
option forwardfor
option httpclose
option http-pretend-keepalive
server http_smagent1 192.168.8.151:11802 cookie 1 check inter 2000 rise 3 fall 3
frontend https_smagent
bind *:21802 ssl crt /etc/ssl/certs/servername.pem
mode http
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
reqadd X-Forwarded-Proto:\ https
default_backend https_smagent
option httpclose
#option http-pretend-keepalive
#option httpchk GET /TLS/healthcheck HTTP/1.1\r\nHost:\
#http-check expect status 200
#option httpchk GET /index.html
backend https_smagent
mode http
balance roundrobin
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
cookie SERVERID insert indirect nocache
server queueservice_1 192.168.8.151:11802 cookie 1 check inter 2000 rise 3 fall 3
listen socket-signa-ws
mode tcp
bind *:10538
balance roundrobin
#timeout queue 5000
timeout server 86400000
timeout connect 86400000
server server1 192.168.15.57:10538 check
server server2 192.168.10.139:10538 check
frontend socket-signa-wss
bind *:20538 ssl crt /etc/ssl/certs/servername.pem
mode http
maxconn 60000
acl host_ws hdr_beg(Host) -i ws.
use_backend socket-signa-wss if host_ws
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
use_backend socket-signa-wss if hdr_connection_upgrade hdr_upgrade_websocket
#default_backend bk_web
backend socket-signa-wss
balance roundrobin
server websrv1 192.168.15.57:10538 maxconn 30000 weight 10 cookie websrv1 check
server websrv2 192.168.10.139:10538 maxconn 30000 weight 10 cookie websrv2 check
![《圖解HTTP》學習筆記(六)-確定Web安全的HTTPS[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)