haproxy 负载ssl
Hi. In this tutorial you will get to know how to implement HTTPS in your servers by using a free certificate from Certbot and implementing it in your Load Balancer with HAProxy.
你好 在本教程中,您将通过使用来自Certbot的免费证书并使用HAProxy在您的负载均衡器中实现它,来了解如何在服务器中实现HTTPS。
I work with Ubuntu 16.04 LTS servers, where my-lb is the load balancer name and web-a and web-b are the web servers, using Nginx open source software. The subdomain www is pointing to my-lb as well as the @ domain name, and is only this subdomain I want to receive HTTPS requests in my webstack.
我使用Nginx开源软件使用Ubuntu 16.04 LTS服务器,其中my-lb是负载均衡器名称,而web-a和web-b是Web服务器。 子域名www指向my-lb以及@域名,并且只有这个子域名,我想在我的Webstack中接收HTTPS请求。
安装certbot (Install certbot)
In this page introduce your server configuration to get the exact install instructions. Mine were like this:
在此页面中,介绍服务器配置以获取确切的安装说明。 我的是这样的:
sudo apt-get update
sudo apt-get install snapd
sudo apt-get remove certbot
sudo snap install — classic certbot
sudo certbot certonly — standalone
export LC_ALL=”en_US.UTF-8"
export LC_CTYPE=”en_US.UTF-8"检查端口80是否空闲 (Check port 80 is free)
Once this is done, run netstat -plnt and check whether some program is listening to port 80. This is important because with certbot you will ask for a free SSL certificate and the request will happen over that port, and only one program can liste to a port at a time. So we need to free it up.
完成此操作后,运行netstat -plnt并检查某个程序是否正在侦听端口80。这很重要,因为使用certbot会要求您提供免费的SSL证书,并且该请求将在该端口上发生,并且只有一个程序可以列出一次一个端口。 因此,我们需要释放它。
As you can see, port 80 is being listen here. So make sure to you stop whatever program is doing it with sudo service httpd stop, where httpd may be or not replaced by the program listening to it.
如您所见,端口80正在此处监听。 因此,请确保使用sudo service httpd stop正在执行任何程序的程序,其中httpd可能会或可能不会被侦听它的程序所替换。
申请免费的SSL证书 (Request for a free SSL certificate)
Now you’re entering to the encrypted side of internet!
现在,您正在进入Internet的加密方面!
sudo certboy certonly --standaloneIf everything is all right, you should see a message like this. Certbot asks you to indicate what domain you wish to certificate. In my case, it is only the subdomain www that will be certificated since it is where I will get all my HTTPS requests so as to get a TLS termination proxy or SSL termination.
如果一切正常,您应该会看到类似这样的消息。 Certbot要求您指出您想要认证的域。 就我而言,只有子域www会被认证,因为在这里我将获取所有HTTPS请求以获取TLS终止代理或SSL终止。
We are almost done. The private key must be appended to the certificate to complete the requirements. You may want to do:
我们快完成了。 必须将私钥附加到证书上才能完成要求。 您可能想要做:
sudo cat /etc/private/key/path.pem | sudo tee -a /etc/certificate/fullchain/path.pem Cat your fullchain certificate and make sure after the END OF CERTIFICATE you have the BEGIN PRIVATE KEY.
整理您的全链证书,并确保在END OF CERTIFICATE后拥有BEGIN PRIVATE KEY.私钥BEGIN PRIVATE KEY.
配置HAProxy负载均衡器以监听端口443 (Configure the HAProxy Load Balancer to listen to port 443)
The HAProxy config file is generally the /etc/haproxy/haprocy.cfg. There, you should have it configured with backend, frontend or listen parameters, where the redirection to web-a and web-b servers is set with a given load balancer algorithm. In the frontend parameter, set the bind *:443 ssl crt /path/to/the/fullchain/certificate.pem
HAProxy配置文件通常是/etc/haproxy/haprocy.cfg。 在那里,您应该使用backend, frontend or listen 参数对其进行配置,其中使用给定的负载均衡器算法设置对Web-a和Web-b服务器的重定向。 在frontend参数中,设置bind *:443 ssl crt /path/to/the/fullchain/certificate.pem
You are assigning the certificate to your 443 port with which you’ll give response to the HTTPS request made to your server.
您正在将证书分配到您的443端口,您将使用该端口响应对服务器的HTTPS请求。
Before celebrating, don’t forget to sudo service haproxy start !
庆祝前,别忘了sudo service haproxy start !
测试中 (Testing)
From any terminal, use the curl command with an https request to your certificated domain/subdomain and you should have the return from your expected html page.
在任何终端上,将curl命令与对您的认证域/子域的https请求一起使用,您应该从预期的html页面获得返回。
翻译自: https://medium.com/swlh/tutorial-to-configure-ssl-in-a-haproxy-load-balancer-b452d1be100f
haproxy 负载ssl
1992
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
