我想让我的服务器SSL保护,它有两个部分之一的网站和另一个应用程序。
为了平衡他们,我们使用haproxy 。 现在我们要确保这个haproxy。 我已经安装了证书和密钥文件
在configurationhaproxy.cfg时如下所示:
frontend https bind *:443 ssl crt /etc/ssl/ssl.key/myserver.key /etc/ssl/certs/www_appointpress_com.ca-bundle /etc/ssl/certs/somefile.crt acl hari path_beg /customers acl css path_beg /assets reqadd X-Forwarded-Proto:\ https default_backend appointpress_site
而重新启动haproxy我得到像这样的错误:
bind only supports transparent ...... options 。
我该如何解决这个错误
试试这个,至less在这个版本(自己build的)
root@server5:~# haproxy -vv
HA-Proxy version 1.5-dev17 2012/12/28 Copyright 2000-2012 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.
然后在haproxy中尝试这种configuration
listen ssl_relay 192.168.128.101:443 # this only works with 1.5 haproxy, it accepts multiple SSL en sends it # off to the correct backend which does the SSL termination. mode tcp balance roundrobin option tcplog option socket-stats # option ssl-hello-chk -> This is not be needed anymore, in fact, # it needs to be off # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m # make sure we cover type 1 (fallback), although chances are it will # not route correctly, it will terminate on ssl acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello # intercept incoming TLS requests based on the SNI field use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com } use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com } use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net } use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net } server xtp2_83 192.168.128.1:483 weight 0 server xtp2_84 192.168.128.2:484 weight 0 # all the rest is forwarded to this server server xtp_default 192.168.128.3:443 check inter 10000 rise 2 fall 2
你只需要在你的web服务器里面终止SSL。 所以一路encryptionstream量。 这对我有用。
我知道这并不是真的回答你的问题,但你可以尝试用Pound代替HAproxy,这很容易通过HTTPS进行configuration,并且与你的情况下的HAproxy一样。