Haproxy 配置http https ws wss
大家好! 最近因公司业务需求。使用HAproxy充当网关功能,并支持https协议及wss协议(后端服务不再需要做证书处理)。网上找了一些资料,可惜很难找到一个全面的haproxy.cnf模板。经过1天的沉淀,最终将http https ws wss 整合同一个配置文件,同时对外提供服务。现跟大家分享
1 证书生成
#前提条件 先查看haproxy是否支持openssl。如果没有重新编译安装
haproxy -vv
make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz
ldd haproxy | grep ssl
#1 生成.csr .key .crt 文件
sudo openssl x509 -req -days 365 -in /etc/ssl/xip.io/xip.io.csr -signkey /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.crt
#2 创建servername.pem 证书文件
vi /etc/ssl/certs/servername.pem
#内容=/etc/ssl/xip.io/xip.io.crt内容 + /etc/ssl/xip.io/xip.io.key内容
-----BEGIN CERTIFICATE-----
MIIB+zCCAWQCCQCEkx8gEiAJ5DANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMB4XDTE5MTEyNTA5MjYzOVoXDTIwMTEyNDA5MjYzOVowQjELMAkGA1UE
BhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBD
b21wYW55IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArx1Vkq6+G/i1
AvWoEWSiepBt/OigypnFiq9XJkswrl30eP+6Tg+clHaIc3oR2Cf+zVvEa7t0dxLJ
Gi3i5DdM2sAdR0ATvnND2sy9Ktp+RUokg7Wql2LdVe0Qx1ZyBW3Tt8FSyvVIdRjG
CYb5P82ItQCU8ZC9zra4SASkj//b3AsCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj
PJe01Wsldx3idq4S8VkJ2aJwPVSof5VofOuFOzb9Y18nIguRzJJsQQeaUAf45LvF
a16AO0isRvor389U3rm6HI//4Wjzeoe0rG2890naQBK1kV7RWyywHvP+ijN2UMA0
ve6COpThkTUDR1As7YXmjOhONeT35hG70TXEHbKIBw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvHVWSrr4b+LUC9agRZKJ6kG386KDKmcWKr1cmSzCuXfR4/7pO
D5yUdohzehHYJ/7NW8Rru3R3EskaLeLkN0zawB1HQBO+c0PazL0q2n5FSiSDtaqX
Yt1V7RDHVnIFbdO3wVLK9Uh1GMYJhvk/zYi1AJTxkL3OtrhIBKSP/9vcCwIDAQAB
AoGBAIgVArf/hYsVJg2Lu7TwgHdAn8iHOtTW1LVmdxIyIj2Ok/onuK8K4MJarsUW
WqGgyxjpNGYIAYS7G351pDl3ZAfb9VhGnOJOXgh+4Fp7Lkm4I7e3iN3DExZeUUZ7
9zbu1IM/prF4CUqvyQ8DBouIojhY045gjk3Zb/To5jbHcbnJAkEA6JuSTxdf3oy7
I1xH/Uxf5aIyj0VTAU4SVP3Ogkjrixa7iaMg11JicBt++f65jXPnzjW/16NF3ob0
VbVeYDCOVwJBAMC5ndbbUecN8FoHey6+IPnRMK/YXWYYKVKtt4/lTsunYB2O5T3H
5RUNFr4Hy/+kM14Ij0XMyTdtf6bbIRaAJ20CQDS5Zq2Ex9dDIPv/49V3ZVlAraMp
/ImUL7WSHigL7VAGpBWrozsLUoLEyMBTy61Tc1ybdFOlj6XEA0gWJ0E4YFsCQQCe
KndwMnRoFJdxu3wL43u6qkSzu/UC6cdYFDt2u7FMD+QgvfpDFr9Z5HEKqelwtzh0
7r9ugF+Ovq2pqWLhTXGNAkArvKE2HrJf4imOrPoKFoEfNgFL78dDuN+oib4tKd+t
Wd3RKLHC/CJ3N0fsl7X8ar2qd8wJOpGXUKbvdUzvpABP
-----END RSA PRIVATE KEY-----
2 haproxy.cnf
global
log 127.0.0.1 local3
maxconn 20480
chroot /usr/local/haproxy
uid 1004 #1004为haproxy 用户的uid ,haproxy用户需要自己手动创建
gid 1004
daemon
quiet
nbproc 1
pidfile /var/run/haproxy.pid
defaults
log global
mode http
maxconn 20480
option httplog
option httpclose
option http-pretend-keepalive
option forwardfor
option dontlognull
option redispatch
retries 3
balance roundrobin
# balance url_param userid
stats uri /haproxy-stats
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen http_queue
bind *:10535
mode http
http-request set-header http_req yes
balance roundrobin
option httplog
option dontlognull
option logasap
option forwardfor
option httpclose
option http-pretend-keepalive
server http_queue1 192.168.15.56:10535 cookie 1 check inter 2000 rise 3 fall 3
server http_queue2 192.168.10.139:10535 cookie 1 check inter 2000 rise 3 fall 3
frontend https_queueservice
bind *:20535 ssl crt /etc/ssl/certs/servername.pem
mode http
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
reqadd X-Forwarded-Proto:\ https
default_backend https_queueservice
option httpclose
#option http-pretend-keepalive
#option httpchk GET /TLS/healthcheck HTTP/1.1\r\nHost:\
#http-check expect status 200
#option httpchk GET /index.html
backend https_queueservice
mode http
balance roundrobin
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
cookie SERVERID insert indirect nocache
server queueservice_1 192.168.15.56:10535 cookie 1 check inter 2000 rise 3 fall 3
listen http_smagent
bind *:11802
mode http
balance roundrobin
option httplog
option dontlognull
option logasap
option forwardfor
option httpclose
option http-pretend-keepalive
server http_smagent1 192.168.8.151:11802 cookie 1 check inter 2000 rise 3 fall 3
frontend https_smagent
bind *:21802 ssl crt /etc/ssl/certs/servername.pem
mode http
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
reqadd X-Forwarded-Proto:\ https
default_backend https_smagent
option httpclose
#option http-pretend-keepalive
#option httpchk GET /TLS/healthcheck HTTP/1.1\r\nHost:\
#http-check expect status 200
#option httpchk GET /index.html
backend https_smagent
mode http
balance roundrobin
option httpclose
option forceclose
option http-server-close
option forwardfor except 127.0.0.1
cookie SERVERID insert indirect nocache
server queueservice_1 192.168.8.151:11802 cookie 1 check inter 2000 rise 3 fall 3
listen socket-signa-ws
mode tcp
bind *:10538
balance roundrobin
#timeout queue 5000
timeout server 86400000
timeout connect 86400000
server server1 192.168.15.57:10538 check
server server2 192.168.10.139:10538 check
frontend socket-signa-wss
bind *:20538 ssl crt /etc/ssl/certs/servername.pem
mode http
maxconn 60000
acl host_ws hdr_beg(Host) -i ws.
use_backend socket-signa-wss if host_ws
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
use_backend socket-signa-wss if hdr_connection_upgrade hdr_upgrade_websocket
#default_backend bk_web
backend socket-signa-wss
balance roundrobin
server websrv1 192.168.15.57:10538 maxconn 30000 weight 10 cookie websrv1 check
server websrv2 192.168.10.139:10538 maxconn 30000 weight 10 cookie websrv2 check