haproxy https实现

haproxy https实现

haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信。但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现

#配置HAProxy支持https协议,支持ssl会话;
	bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE
	
#指令crt后证书文件为PEM格式,需要同时包含证书和所有私钥
	cat demo.key demo.crt > demo.pem

#把80端口的请求重向定443
	bind *:80
	redirect scheme https if !{ ssl_fc }
	
#向后端传递用户请求的协议和端口(frontend或backend)
	http_request set-header X-Forwarded-Port %[dst_port]
	http_request add-header X-Forwared-Proto https if { ssl_fc }

1证书制作

[root@haproxy ~]#cd /etc/pki/tls/certs/
[root@haproxy certs]#mkdir /etc/haproxy/conf.d/ssl
[root@haproxy certs]#vim Makefile
%.key:
    umask 77 ; \
    #/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
    /usr/bin/openssl genrsa  $(KEYLEN) > $@

[root@haproxy certs]#make /etc/haproxy/conf.d/ssl/www.linux2022.com.crt
umask 77 ; \
#/usr/bin/openssl genrsa -aes128 2048 > /etc/haproxy/conf.d/ssl/www.linux2022.com.key
/usr/bin/openssl genrsa  2048 > /etc/haproxy/conf.d/ssl/www.linux2022.com.key
Generating RSA private key, 2048 bit long modulus
.................................................+++
............................+++
e is 65537 (0x10001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/haproxy/conf.d/ssl/www.linux2022.com.key -x509 -days 365 -out /etc/haproxy/conf.d/ssl/www.linux2022.com.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:linux2022
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.linux2022.com
Email Address []:

[root@haproxy certs]#cd /etc/haproxy/conf.d/ssl/
[root@haproxy ssl]#ls
www.linux2022.com.crt  www.linux2022.com.key
[root@haproxy ssl]#cat www.linux2022.com.key www.linux2022.com.crt > www.linux2022.com.pem

2 https配置

[root@haproxy ssl]#cd ..
[root@haproxy conf.d]#ls
ssl  test.cfg
[root@haproxy conf.d]#vim test.cfg
listen ha1_https_443
    bind 10.0.0.7:80
    bind 10.0.0.7:443 ssl crt /etc/haproxy/conf.d/ssl/www.linux2022.com.pem
    redirect scheme https if !{ ssl_fc }
    http-request set-header X-forwarded-Port %[dst_port]
    http-request add-header X-forwarded-Proto https if { ssl_fc }
    balance roundrobin
    server rs1 10.0.0.17:80 check inter 3000 fall 2 rise 5
    server rs2 10.0.0.27:80 check inter 3000 fall 2 rise 5

[root@haproxy conf.d]#systemctl restart haproxy.service
[root@haproxy conf.d]#ss -ntl
State      Recv-Q Send-Q              Local Address:Port                             Peer Address:Port
LISTEN     0      128                             *:9999                                        *:*
LISTEN     0      128                      10.0.0.7:80                                          *:*
LISTEN     0      128                             *:22                                          *:*
LISTEN     0      100                     127.0.0.1:25                                          *:*
LISTEN     0      128                      10.0.0.7:443                                         *:*
LISTEN     0      128                          [::]:22                                       [::]:*
LISTEN     0      100                         [::1]:25                                       [::]:*

3 修改后端服务器的日志格式

[root@rs1 html]#vim /etc/httpd/conf/httpd.conf
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-forwarded-Port}i\" \"%{X-forwarded-Proto}i\"" combined
[root@rs1 html]#httpd -t
[root@rs1 html]#systemctl restart httpd.service

[root@rs2 html]#vim /etc/httpd/conf/httpd.conf
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-forwarded-Port}i\" \"%{X-forwarded-Proto}i\"" combined
[root@rs2 html]#httpd -t
[root@rs2 html]#systemctl restart httpd.service

4 验证https

[root@rs1 ~]#cd /var/www/html
[root@rs1 html]#hostname -I > index.html
[root@rs1 html]#cat index.html
10.0.0.17
[root@rs2 ~]#cd /var/www/html
[root@rs2 html]#cat index.html
10.0.0.27

[root@client ~]#cat /etc/hosts
10.0.0.7 www.linux2022.com
[root@client ~]#curl -k https://10.0.0.7
10.0.0.17
[root@client ~]#curl -k https://10.0.0.7
10.0.0.27
[root@client ~]#curl -k https://10.0.0.7
10.0.0.17
[root@client ~]#curl -k https://10.0.0.7
10.0.0.27

[root@client ~]#curl -Ik https://10.0.0.7
HTTP/1.1 200 OK
date: Thu, 21 Apr 2022 23:56:52 GMT
server: Apache/2.4.6 (CentOS)
last-modified: Tue, 19 Apr 2022 13:49:35 GMT
etag: "a-5dd0225b759a2"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8

[root@client ~]#curl -ILk http://10.0.0.7
HTTP/1.1 302 Found
content-length: 0
location: https://10.0.0.7/
cache-control: no-cache

HTTP/1.1 200 OK
date: Thu, 21 Apr 2022 23:55:11 GMT
server: Apache/2.4.6 (CentOS)
last-modified: Tue, 19 Apr 2022 13:49:35 GMT
etag: "a-5dd0225b759a2"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8

5 查看后端服务器的访问日志

[root@rs1 html]#tail /var/log/httpd/access_log -f
10.0.0.7 - - [22/Apr/2022:08:10:22 +0800] "GET / HTTP/1.1" 200 11 "-" "curl/7.58.0" "443" "https"

[root@rs2 html]#tail /var/log/httpd/access_log -f
10.0.0.7 - - [22/Apr/2022:08:10:23 +0800] "GET / HTTP/1.1" 200 10 "-" "curl/7.58.0" "443" "https"

你可能感兴趣的