Haproxy implements the configuration method of https for some domain names and http for other domain names

Posted by cigardude on Thu, 13 Feb 2020 17:28:35 +0100

Requirement:

1. Haproxy must be at least 1.5 to support ssl certificates
2. To use ssl module, openssl software must be installed, and the version should meet the requirements

openssl installation

tar zxf openssl-0.9.8zh.tar.gz
cd openssl-0.9.8zh
./config enable-tlsext --prefix=/usr/local/openssl  no-shared
make && make install_sw
#The above installation does not affect the openssl version of the system. It is mainly to open the TLS SNI function of openssl
//You can also install openssl through yum

Installation configuration of Haproxy

Here you can use yum to install, or download binary package to install: Baidu can install easily

Profile of Haproxy

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        #log loghost    local0 info
        maxconn 20480
        uid 99
        gid 99
        #daemon
        tune.ssl.default-dh-param 2048
        debug
        #quiet
        #pidfile /usr/local/haproxy/run/haproxy.pid
        #nbproc 2 
defaults
        log     global
        mode    http
        option  httplog
        option  httpclose
        option  forwardfor
        option  dontlognull
        option  redispatch
        option  originalto
       #option  abortonclose
        balance roundrobin
       #balance leastconn
       #balance source

        stats refresh 30
        retries 3

        timeout connect 5000
        timeout client 2400000
        timeout server 2400000
        timeout check 5000
listen admin_status
       bind 0.0.0.0:81
       mode http
       log 127.0.0.1 local3 err
       stats refresh 30s
       stats uri /haproxy-stats
       stats realm Welcome CJWL \CJWL
       stats auth admin:wangguan
       stats hide-version
       stats admin if TRUE

 errorfile 403 /usr/local/haproxy/errorfiles/403.http
 errorfile 500 /usr/local/haproxy/errorfiles/500.http
 errorfile 502 /usr/local/haproxy/errorfiles/502.http
 errorfile 503 /usr/local/haproxy/errorfiles/503.http
 errorfile 504 /usr/local/haproxy/errorfiles/504.http
  frontend http_80_in
       bind 0.0.0.0:80,0.0.0.0:7070,0.0.0.0:7777
      #After enabling this line, it means that all http accesses will automatically go through the ssl certificate and skip to https
      # bind 0.0.0.0:4443 ssl crt /usr/local/haproxy/etc/ssl/haproxy.pem~~
       bind 0.0.0.0:443  ssl crt /etc/haproxy/ssl/server.pem
      #reqadd X-Forwarded-Proto:\ https  
acl testcoms_p    hdr_dom(host) -i testcoms.changjiu56.com
       acl ssl  hdr_reg(host) -i ^(kesungang.changjiu56.com)$
       redirect scheme https code 301 if !{ ssl_fc }  ssl
       acl kesungang_p  hdr_dom(host) -i kesungang.xxxx.com
       acl cpstest_p     hdr_dom(host) -i ^(cpstest.xxx.com)$
       acl recapicpstest_p     hdr_dom(host) -i ^(rec.api.cpstest.xxxx.com)$
       acl g7_ip         src 121.2xx.0.0/16 117.50.xxx.0/24

       use_backend testcoms.xxxx.com       if testcoms_p
       use_backend kesungang.xxxx.com       if kesungang_p
       use_backend bmwpdatest.xxxx.com     if bmwpdatest_p
       use_backend bmwpda.xxxx.com         if bmwpda_p
       use_backend srm.xxxx.com            if srm_p
       use_backend coms.xxx.com           if coms_p
#backend wmsims.xxxxx.com
#       mode http
#       balance source
#       option httpchk GET /test/test.html
#       server 10.0.3.111:80 10.0.3.111:80 maxconn 5000 check inter 2000 rise 2 fall 3
#       http-request set-header X-Forwarded-Port %[dst-Port]
#       http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend kesungang.xxxx.com
        balance source
        #redirect scheme https if !{ ssl_fc }
        server 10.0.3.78:80 10.0.3.78:80 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

backend testcoms.xxxx.com
       balance source
       #option httpchk GET /HealthCheck.html

If only one domain name is allowed to go through ssl certificate configuration

1. In frontend default 80, comment out the redirect scheme HTTPS if! {ssl_fc}
2. The rules for configuring acl are as follows
`acl ssl hdr_reg(host) -i ^(kesungang.xxx.com)$
redirect scheme https code 301 if !{ ssl_fc } ssl

acl kesungang_p hdr_dom(host) -i kesungang.xxxx.com
`

Multiple domain names, multiple ssl certificate configurations

frontend http_server
bind :80
bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem
#According to the above rules, if multiple sites can use the same rule bind: 443 SSL CRT $filepath CRT $file2path CRT $file3path

    mode http

    acl ssl  hdr_reg(host) -i ^(www.test.com|admin.test.com|passport.abc.com)$
    redirect scheme https code 301 if !{ ssl_fc }  ssl
    #https jump to the above site
    #In some cases, you need to jump to a specific page
    acl ssl_site hdr_reg(host) -i ^(
    acl ssl_path path_beg -i /Login /Pay/Pay.aspx
    redirect scheme https code 301 if !{ ssl_fc }  ssl_site ssl_path
    redirect scheme http code 301 if { ssl_fc }  ssl_site !ssl_path
    #Only jump in / loign /Pay/Pay.aspx page, other pages use http

    acl wwwtest_com hdr_reg(host) -i ^(www.test.com)$
    use_backend www_test_com if wwwtest_com { ssl_fc_sni www.test.com }
    #This is the corresponding part of the certificate, such as
    acl admintest_com hdr_dom(host) -i admin.test.com
    use_backend admin_test_com if admintest_com { ssl_fc_sni admin.test.com } 
    acl passportabc_com hdr_dom(host) -i passport.abc.com
    use_backend pasport_abc_com if passport_abc_com { ssl_fc_sni passport.abc.com }

    backend www_test_com
        server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1
    backend admin_test_com
        server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1
    backend passport_abc_com
        server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1

Topics: Operation & Maintenance SSL OpenSSL yum

Hot Topics

©2024 Programmer Think