跳转至

Haproxy 配置SSL证书


2015-07-16 by dongnan

环境

操作系统: CentOS 6.6 amd64
软件版本: Haproxy 1.5.x(源码方式安装)

目标

  • Haproxy配置SSL证书
  • 全站强制使用 https协议

步骤

Haproxy使用PEM格式的SSL证书,配置SSL证书有两种方式:

  • SSL终端,是在负载均衡器终止/解码SSL连接并发送非加密连接到后台服务器的。(示例方式)
  • SSL穿透,与SSL终端相反它是直接向代理服务器发送SSL连接的。(证书放在后端服务器)

配置文档

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     60000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 30s
    timeout check           10s
    maxconn                 30000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
#frontend  main *:80
frontend  bind *:80
          bind *:443 ssl crt /etc/haproxy/ssl/ywwd.net.pem
          redirect scheme https if !{ ssl_fc }

    acl is_static       hdr_reg(host)  -i ^cdn1.ywwd.net cdn2.ywwd.net
    acl is_static       path_beg       -i /static /images /js /css /upload
    acl is_static       path_end       -i .jpg .gif .png .css .js
    acl is_dynamic      hdr_reg(host)  -i ^ywwd.net

    use_backend static  if is_static
    use_backend www  if is_dynamic
    default_backend     www

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
#
    balance roundrobin
    server  web01 10.0.100.13:80 check maxconn 2000 weight 1
    server  web01 10.0.100.14:80 check maxconn 2000 weight 2

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend www
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
#    
    balance roundrobin
    cookie  SESSION_COOKIE insert  nocache
    server  web01 10.0.100.11:80 check cookie web01 maxconn 8000 weight 1
    server  web02 10.0.100.12:80 check cookie web02 maxconn 8000 weight 1

listen admin_stat       
    bind 0.0.0.0:8080  
    mode http         
    stats refresh 30s          
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth admin:ywwd.net1    
    stats hide-version           
    stats admin if TRUE

配置参数

与SSL配置相关的参数有两个:

  • bind *:443 ssl crt /etc/haproxy/ssl/ywwd.net.pem,绑定SSL证书。
  • redirect scheme https if !{ ssl_fc },只接受SSL连接。

启动服务

检查配置文件

haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid

启动服务

/etc/init.d/haproxy start

参考

回到页面顶部