dongnan
总版主
总版主
  • 粉丝52
  • 发帖数2198
  • 铜币14128枚
  • 威望6136点
  • 银元155个
  • 社区居民
  • 最爱沙发
  • 忠实会员
  • 喜欢达人
  • 原创写手
阅读:6129回复:2

haproxy 配置 ssl 证书

楼主#
更多 发布于:2015-07-16 10:15
环境
CentOS 6.6 amd64
Haproxy 1.5.x

目标
1. 为 haproxy 配置ssl 证书
2. 全站强制使用 https

配置文档
######
   
#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
   
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2
   
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     60000
    user        haproxy
    group       haproxy
    daemon
   
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048            
   
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 30s
    timeout check           10s
    maxconn                 30000
   
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
#frontend  main *:80
frontend  bind *:80
          bind *:443 ssl crt /etc/haproxy/ssl/ywwd.net.pem
          redirect scheme https if !{ ssl_fc }
   
    acl is_static       hdr_reg(host)  -i ^cdn1.ywwd.net cdn2.ywwd.net
    acl is_static       path_beg       -i /static /images /js /css /upload
    acl is_static       path_end       -i .jpg .gif .png .css .js
    acl is_dynamic      hdr_reg(host)  -i ^ywwd.net
   
    use_backend static  if is_static
    use_backend www  if is_dynamic
    default_backend     www
   
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
#
    balance roundrobin
    server  web01 10.0.100.13:80 check maxconn 2000 weight 1
    server  web01 10.0.100.14:80 check maxconn 2000 weight 2
   
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend www
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
#    
    balance roundrobin
    cookie  SESSION_COOKIE insert  nocache
    server  web01 10.0.100.11:80 check cookie web01 maxconn 8000 weight 1
    server  web02 10.0.100.12:80 check cookie web02 maxconn 8000 weight 1
   
listen admin_stat       
    bind 0.0.0.0:8080  
    mode http         
    stats refresh 30s          
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth admin:ywwd.net1    
    stats hide-version           
    stats admin if TRUE

参数
bind *:443 ssl crt /etc/haproxy/ssl/ywwd.net.pem  #绑定ssl 证书
redirect scheme https if !{ ssl_fc }   #只接受SSL连接

证书
haproxy 使用ssl 证书,有两种方式。
1. SSL终端,是在负载均衡器终止/解码SSL连接并发送非加密连接到后台服务器的,这样做法这意味着负载均衡器负责解码SSL连接。(证书放在haproxy 上,本文所使用的方法)
2. SSL穿透,与ssl 终端相反, 它是直接向代理服务器发送SSL连接的。(证书放在 webserver 上)

证书格式
haproxy 使用pem 格式的ssl 证书, ssl 证书向提供商索取,比如 wosign  ;
PEM 证书格式转换,参考3楼


参考
在 HAproxy 1.5 中使用 SSL 证书
How To Implement SSL Termination With HAProxy on Ubuntu 14.04
Add SSL Termination to HAProxy on Ubuntu 14.04

#END
欢迎关注微信公众号: 运维录
dongnan
总版主
总版主
  • 粉丝52
  • 发帖数2198
  • 铜币14128枚
  • 威望6136点
  • 银元155个
  • 社区居民
  • 最爱沙发
  • 忠实会员
  • 喜欢达人
  • 原创写手
沙发#
发布于:2015-07-16 10:30
haproxy tune.ssl.default-dh-param to 1024 by default
错误信息
[WARNING] 187/163026 (3106) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.

解决方法
编辑haproxy.cfg, 在 global 添加以下内容
tune.ssl.default-dh-param 2048

检查配置文件
haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid

重启
/etc/init.d/haproxy restart

#END
欢迎关注微信公众号: 运维录
dongnan
总版主
总版主
  • 粉丝52
  • 发帖数2198
  • 铜币14128枚
  • 威望6136点
  • 银元155个
  • 社区居民
  • 最爱沙发
  • 忠实会员
  • 喜欢达人
  • 原创写手
板凳#
发布于:2016-06-28 13:35
haproxy pem 格式证书转换
内容
1. 目标
2. 步骤

目标
1. 将 *.crt *.key 格式证书,合成为 PEM格式证书,为 haproxy 提供此格式的证书;
2. haproxy 替换证书;

步骤
1. 证书格式
file 1__.ywwd.net_bundle.crt 2__.ywwd.net.key
1__.ywwd.net_bundle.crt: ASCII text, with CRLF, LF line terminators
2__.ywwd.net.key:        ASCII text

2. 合并证书
cat 1__.ywwd.net_bundle.crt 2__.ywwd.net.key > ywwd.net.pem
file ywwd.net.pem
ywwd.net.pem: ASCII text, with CRLF, LF line terminators

3. 编辑证书
注意,删掉 crt 文件三段之间的两个空行;
sed -i '/^$/d' ywwd.net.pem

4. 替换证书
mv /etc/haproxy/ssl/ywwd.net.pem /etc/haproxy/ssl/ywwd.net.pem.2015
mv ywwd.net.pem /etc/haproxy/ssl/

5. 重新加载
haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
#
/etc/init.d/haproxy reload
Reloading haproxy:


#
欢迎关注微信公众号: 运维录
游客

返回顶部