haproxy多主机与ssl acl

我不认为haproxy将允许您为每个传入请求指定每个后端SSL证书，而您必须具有允许多个域名（SNI）的组合证书。

以下是haproxy使用SNI的指南，其中所有证书实际上由haproxy服务器托pipe，而不是后端实例： http ://trick77.com/2012/12/26/haproxy-and-sni-based-ssl- 卸载与-中间CA /

另请参阅本节末尾的示例： http : //cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-use-server

你可以用你的haproxy版本来做到这一点。 我在这里博客了

这是一个例子：

 global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 # chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 # Host HA-Proxy web stats on Port 3306 (that will confuse those script kiddies) listen HAProxy-Statistics *:3306 mode http option httplog option httpclose stats enable stats uri /haproxy?stats stats refresh 20s stats show-node stats show-legends stats show-desc Workaround haproxy for SSL stats auth admin:ifIruledTheWorld stats admin if TRUE frontend ssl_relay 192.168.128.21:443 # this only works with 1.5 haproxy mode tcp option tcplog option socket-stats # option nolinger maxconn 300 # use tcp content accepts to detects ssl client and server hello. # acl clienthello req_ssl_hello_type 1 -> seems to not work tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend ssl_testdomain_prod if { req_ssl_sni -i www.testdomain.nl } use_backend ssl_testdomain_stag if { req_ssl_sni -i test.testdomain.nl } default_backend ssl_testdomain_stag backend ssl_testdomain_stag mode tcp #option nolinger option tcplog balance roundrobin hash-type consistent option srvtcpka # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m # make sure we cover type 1 (fallback) acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello #option ssl-hello-chk server x_testdomain_stag 123.123.123.123:443 backend ssl_testdomain_prod mode tcp #option nolinger option tcplog balance roundrobin hash-type consistent option srvtcpka # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m # make sure we cover type 1 (fallback) acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello #option ssl-hello-chk server x_testdomain_prod 123.123.111.111:443 

这个例子意味着你在web服务器后端终止你的SSL，我还没有试图用haproxy ssl终止。

如果这是你想要的，也许这个例子有助于它的工作。

还有另一个例子在这里使用use_server而不是use_backend