Haproxy 配置SSL证书
2015-07-16 by dongnan
环境
操作系统: CentOS 6.6 amd64
软件版本: Haproxy 1.5.x(源码方式安装)
目标
- 为
Haproxy配置SSL证书 - 全站强制使用
https协议
步骤
Haproxy使用PEM格式的SSL证书,配置SSL证书有两种方式:
- SSL终端,是在负载均衡器终止/解码SSL连接并发送非加密连接到后台服务器的。(示例方式)
- SSL穿透,与SSL终端相反它是直接向代理服务器发送SSL连接的。(证书放在后端服务器)
配置文档
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 60000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 30s
timeout check 10s
maxconn 30000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
#frontend main *:80
frontend bind *:80
bind *:443 ssl crt /etc/haproxy/ssl/ywwd.net.pem
redirect scheme https if !{ ssl_fc }
acl is_static hdr_reg(host) -i ^cdn1.ywwd.net cdn2.ywwd.net
acl is_static path_beg -i /static /images /js /css /upload
acl is_static path_end -i .jpg .gif .png .css .js
acl is_dynamic hdr_reg(host) -i ^ywwd.net
use_backend static if is_static
use_backend www if is_dynamic
default_backend www
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#
balance roundrobin
server web01 10.0.100.13:80 check maxconn 2000 weight 1
server web01 10.0.100.14:80 check maxconn 2000 weight 2
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend www
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#
balance roundrobin
cookie SESSION_COOKIE insert nocache
server web01 10.0.100.11:80 check cookie web01 maxconn 8000 weight 1
server web02 10.0.100.12:80 check cookie web02 maxconn 8000 weight 1
listen admin_stat
bind 0.0.0.0:8080
mode http
stats refresh 30s
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:ywwd.net1
stats hide-version
stats admin if TRUE
配置参数
与SSL配置相关的参数有两个:
bind *:443 ssl crt /etc/haproxy/ssl/ywwd.net.pem,绑定SSL证书。redirect scheme https if !{ ssl_fc },只接受SSL连接。
启动服务
检查配置文件
haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
启动服务
/etc/init.d/haproxy start