当购买真正的证书 时,你不一定会获取拼接后的文件。你可以要自己拼接它们。然而,很多机构也会提供一份拼接好的文件给你。如果你没有获取到拼接后的文件,则它可能不是一个 pem 文件,而是 bundle、cert、cert、key文件或一些相同概念但名称类似的文件。
无论如何,只要我们得到了HAProxy使用的pem文件,我们只需经过简单配置就是可以处理SSL连接了。
下面我们将要配置haproxy来安装SSL证书,配置文件如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
#--------------------------------------------------------------------- # Example configuration for a possible web application. See the # full configuration options online. # # # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 warning chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 400000 user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 # nbproc 3 # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch option httpclose retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s stats enable stats hide-version stats uri /haproxy?status stats realm Haproxy\ Statistics stats auth admin:asd870719 # stats admin if TRUE #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- #frontend main *:5000 # acl url_static path_beg -i /static /images /javascript /stylesheets # acl url_static path_end -i .jpg .gif .png .css .js # use_backend static if url_static # default_backend app frontend wzlinux_ssl bind *:80 bind *:443 ssl crt /etc/haproxy/wzlinux.pem mode http default_backend wzlinux #--------------------------------------------------------------------- # static backend for serving up images, stylesheets and such #--------------------------------------------------------------------- #backend static # balance roundrobin # server static 127.0.0.1:4331 check backend wzlinux mode http balance roundrobin option forwardfor # option httpchk HEAD / HTTP/1.1\r\nHost:localhost server wzlinux01 10.0.0.9:8080 check inter 15000 rise 2 fall 4 server wzlinux02 10.0.0.9:8081 check inter 15000 rise 2 fall 4 server wzlinux03 10.0.0.9:8082 check inter 15000 rise 2 fall 4 server wzlinux04 10.0.0.9:8083 check inter 15000 rise 2 fall 4 server wzlinux05 10.0.0.9:8084 check inter 15000 rise 2 fall 4 server wzlinux06 10.0.0.9:8085 check inter 15000 rise 2 fall 4 server wzlinux07 10.0.0.9:8086 check inter 15000 rise 2 fall 4 # http-request set-header X-Forwarded-Port %[dst_port] # http-request add-header X-Forwarded-Proto https if { ssl_fc }
因为 SSL 连接在负载均衡器上终止了,我们依然来发送正常的 HTTP 请求到后台服务器。
只接受SSL连接
如果你想让网站只接受SSL连接,你可以添加向前端配置加上redirect导向:
1 2 3 4 5 6
frontend wzlinux_ssl bind *:80 bind *:443 ssl crt /etc/haproxy/wzlinux.pem redirect scheme https if !{ ssl_fc } mode http default_backend wzlinux
上面,我们添加了 redirect 导向,如果连接不是通过SSL连接的,它将http重定向到https。
4、使用HAProxy实现SSL穿透
使用SSL穿透,我们将让后台服务器处理SSL连接,而非负载均衡器来处理。