0. 目的
- 通过Haproxy 将HTTPS请求转成HTTP协议
- SSL证书在Haproxy服务器上挂载,后端服务器不做证书挂载
1. 准备工作
序号 | 机器名 | IP地址 | 作用 |
---|
1 | Haproxy | 192.168.31.8 | 提供反向代理,代理证书,将https转发到后端http |
2 | Nginx-01 | 192.168.31.18 | 提供静态网页 |
2 | Nginx-02 | 192.168.31.28 | 提供静态网页 |
1.1 Haproxy安装
序号 | 机器名 | IP地址 |
---|
1 | Haproxy | 192.168.31.8 |
参见
https://blog.csdn.net/qq_29974229/article/details/121381180
1.2 SSL证书准备
序号 | 机器名 | IP地址 |
---|
1 | Haproxy | 192.168.31.8 |
参见
https://blog.csdn.net/qq_29974229/article/details/119592889
1.3 后端服务器Nginx安装
序号 | 机器名 | IP地址 |
---|
1 | Nginx-01 | 192.168.31.18 |
2 | Nginx-02 | 192.168.31.28 |
参见
https://blog.csdn.net/qq_29974229/article/details/121266195
0-3章
1.4 后端页面准备
序号 | 机器名 | IP地址 |
---|
1 | Nginx-01 | 192.168.31.18 |
2 | Nginx-02 | 192.168.31.28 |
cat >/apps/nginx/conf/nginx.conf<<EOF
worker_processes 2;
worker_cpu_affinity 0001 0010;
error_log logs/error.log;
pid logs/nginx.pid;
events {
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
location / {
root /apps/app0;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
EOF
echo `hostname` `hostname -I` >/apps/app1/index.html
序号 | 机器名 | IP地址 |
---|
1 | Haproxy | 192.168.31.8 |
2. Haproxy 配置
mkdir /etc/haproxy/certs/
cat /data/ssl/www.pana.local.key /data/ssl/www.pana.local.crt > /etc/haproxy/certs/pana.pam
cat >/etc/haproxy/haproxy.cfg <<EOF
global
maxconn 100000
chroot /apps/haproxy
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
user haproxy
group haproxy
daemon
pidfile /var/lib/haproxy/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
frontend http_port
###################### https setting ##############################
bind 192.168.31.8:443 ssl crt /etc/haproxy/certs/pana.pam
redirect scheme https if !{ ssl_fc }
http-request set-header X-forwarded-Port %[dst_port]
http-request add-header X-forwarded-Proto https if { ssl_fc }
mode http
balance roundrobin
log global
option httplog
###################### acl hosts #################################
default_backend web_hosts
################### backend hosts #################################
backend web_hosts
mode http
server web1 192.168.31.18:80 check inter 2000 fall 3 rise 5
server web2 192.168.31.28:80 check inter 2000 fall 3 rise 5
EOF
3. 测试
至此Haproxy Https配置已完成