我有一个haproxy / nginx / naxsi设置负载平衡和安全性。 stream量应该进入haproxy然后到nginx / nasxi然后最终到达web服务器,如果他们通过了WAF。 我们也有一个不同的IP地址在前面,然后我们在后面做。
我做错了什么,它不会stream经nginx? 如果我绕过nginx / naxsi,它只会按照预期工作,所以在经过nginx时我只会得到503错误。
Inet – > Haproxy .5.3:80 – > .5.3:81 Nginx / Naxsi .6.3:81 – > .6.x:80 Web服务器
frontend ft_waf bind 10.0.5.15:80 name http mode http log global option httplog timeout client 25s maxconn 10000 # DDOS protection # Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter # Monitors the number of request sent by an IP over a period of 10 seconds stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s),http_err_rate(10s) tcp-request connection track-sc1 src tcp-request connection reject if { sc1_get_gpc0 gt 0 } # Abuser means more than 100reqs/10s acl abuse sc1_http_req_rate gt 100 acl kill sc1_inc_gpc0 gt 10 acl save sc1_clr_gpc0 ge 0 tcp-request connection accept if !abuse save tcp-request connection reject if abuse kill acl no_waf nbsrv(bk_waf) eq 0 acl waf_max_capacity queue(bk_waf) ge 1 # bypass WAF farm if no WAF available use_backend bk_web if no_waf # bypass WAF farm if it reaches its capacity default_backend bk_waf # WAF farm where users' traffic is routed first backend bk_waf balance roundrobin mode http log global option httplog option forwardfor header X-Client-IP # If the source IP generated 10 or more http request over the defined period, # flag the IP as abuser on the frontend acl abuse sc1_http_err_rate gt 10 acl kill sc1_inc_gpc0 gt 0 tcp-request content reject if abuse kill # Specific WAF checking: a DENY means everything is OK timeout server 25s server waf1 10.0.5.3:81 maxconn 10000 check # Traffic secured by the WAF arrives here frontend ft_web bind 10.0.6.3:81 name http mode http log global option httplog # route commerical domains to com_web acl is_comm hdr(host) -i -f /etc/haproxy/commweb use_backend com_web if is_comm acl is_comwbm hdr(host) -i -f /etc/haproxy/webmailredirect redirect location http://newwebmail.example.net if is_comwbm timeout client 25s maxconn 1000 default_backend bk_web backend com_web balance roundrobin mode http log global option httplog option forwardfor cookie SERVERID insert indirect nocache default-server inter 30s rise 2 fall 3 option httpchk HEAD / # get connected on the application server using the user ip # provided in the X-Client-IP header setup by ft_waf frontend source 0.0.0.0 usesrc hdr_ip(X-Client-IP) timeout server 25s server comserver01 10.0.6.22:80 maxconn 10000 weight 10 cookie server1 check # application server farm backend bk_web balance roundrobin mode http log global option httplog option forwardfor cookie SERVERID insert indirect nocache default-server inter 30s rise 2 fall 3 option httpchk HEAD / # get connected on the application server using the user ip # provided in the X-Client-IP header setup by ft_waf frontend source 0.0.0.0 usesrc hdr_ip(X-Client-IP) timeout server 25s server webserver01 10.0.6.10:80 maxconn 10000 weight 10 cookie server1 check server webserver02 10.0.6.11:80 maxconn 10000 weight 10 cookie server2 check server webserver03 10.0.6.12:80 maxconn 10000 weight 10 cookie server2 check server webserver04 10.0.6.13:80 maxconn 10000 weight 10 cookie server2 check http { include /etc/nginx/naxsi_core.rules; include mime.types; server_names_hash_bucket_size 128; sendfile on; keepalive_timeout 65; tcp_nodelay on; gzip on; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; server { proxy_set_header Proxy-Connection ""; listen 10.0.5.3:81; access_log /var/log/nginx/access.log; location / { include /etc/nginx/test.rules; proxy_pass http://10.0.6.3:81/; }