haproxy 负载ssl_在haproxy负载均衡器中配置SSL的教程

haproxy 负载ssl

Hi. In this tutorial you will get to know how to implement HTTPS in your servers by using a free certificate from Certbot and implementing it in your Load Balancer with HAProxy.

你好 在本教程中,您将通过使用来自Certbot的免费证书并使用HAProxy在您的负载均衡器中实现它,来了解如何在服务器中实现HTTPS。

I work with Ubuntu 16.04 LTS servers, where my-lb is the load balancer name and web-a and web-b are the web servers, using Nginx open source software. The subdomain www is pointing to my-lb as well as the @ domain name, and is only this subdomain I want to receive HTTPS requests in my webstack.

我使用Nginx开源软件使用Ubuntu 16.04 LTS服务器,其中my-lb是负载均衡器名称,而web-a和web-b是Web服务器。 子域名www指向my-lb以及@域名,并且只有这个子域名,我想在我的Webstack中接收HTTPS请求。

安装certbot (Install certbot)

In this page introduce your server configuration to get the exact install instructions. Mine were like this:

此页面中,介绍服务器配置以获取确切的安装说明。 我的是这样的:

sudo apt-get update
sudo apt-get install snapd
sudo apt-get remove certbot
sudo snap install — classic certbot
sudo certbot certonly — standalone
export LC_ALL=”en_US.UTF-8"
export LC_CTYPE=”en_US.UTF-8"

检查端口80是否空闲 (Check port 80 is free)

Once this is done, run netstat -plnt and check whether some program is listening to port 80. This is important because with certbot you will ask for a free SSL certificate and the request will happen over that port, and only one program can liste to a port at a time. So we need to free it up.

完成此操作后,运行netstat -plnt并检查某个程序是否正在侦听端口80。这很重要,因为使用certbot会要求您提供免费的SSL证书,并且该请求将在该端口上发生,并且只有一个程序可以列出一次一个端口。 因此,我们需要释放它。

Image for post
netstat -plnt result. Notice port 80 is being listen
netstat -plnt结果。 注意端口80正在监听

As you can see, port 80 is being listen here. So make sure to you stop whatever program is doing it with sudo service httpd stop, where httpd may be or not replaced by the program listening to it.

如您所见,端口80正在此处监听。 因此,请确保使用sudo service httpd stop正在执行任何程序的程序,其中httpd可能会或可能不会被侦听它的程序所替换。

申请免费的SSL证书 (Request for a free SSL certificate)

Now you’re entering to the encrypted side of internet!

现在,您正在进入Internet的加密方面!

sudo certboy certonly --standalone

If everything is all right, you should see a message like this. Certbot asks you to indicate what domain you wish to certificate. In my case, it is only the subdomain www that will be certificated since it is where I will get all my HTTPS requests so as to get a TLS termination proxy or SSL termination.

如果一切正常,您应该会看到类似这样的消息。 Certbot要求您指出您想要认证的域。 就我而言,只有子域www会被认证,因为在这里我将获取所有HTTPS请求以获取TLS终止代理或SSL终止。

Image for post
Certbot standalone free certificate request process
Certbot独立免费证书申请流程
Image for post
Certbot free certificate request successfully created
Certbot免费证书申请成功创建

We are almost done. The private key must be appended to the certificate to complete the requirements. You may want to do:

我们快完成了。 必须将私钥附加到证书上才能完成要求。 您可能想要做:

sudo cat /etc/private/key/path.pem | sudo tee -a /etc/certificate/fullchain/path.pem 

Cat your fullchain certificate and make sure after the END OF CERTIFICATE you have the BEGIN PRIVATE KEY.

整理您的全链证书,并确保在END OF CERTIFICATE后拥有BEGIN PRIVATE KEY.私钥BEGIN PRIVATE KEY.

Image for post
SSL Certificate and Private Key appended
附加了SSL证书和私钥

配置HAProxy负载均衡器以监听端口443 (Configure the HAProxy Load Balancer to listen to port 443)

The HAProxy config file is generally the /etc/haproxy/haprocy.cfg. There, you should have it configured with backend, frontend or listen parameters, where the redirection to web-a and web-b servers is set with a given load balancer algorithm. In the frontend parameter, set the bind *:443 ssl crt /path/to/the/fullchain/certificate.pem

HAProxy配置文件通常是/etc/haproxy/haprocy.cfg。 在那里,您应该使用backend, frontend or listen 参数对其进行配置,其中使用给定的负载均衡器算法设置对Web-a和Web-b服务器的重定向。 在frontend参数中,设置bind *:443 ssl crt /path/to/the/fullchain/certificate.pem

You are assigning the certificate to your 443 port with which you’ll give response to the HTTPS request made to your server.

您正在将证书分配到您的443端口,您将使用该端口响应对服务器的HTTPS请求。

Before celebrating, don’t forget to sudo service haproxy start !

庆祝前,别忘了sudo service haproxy start

测试中 (Testing)

From any terminal, use the curl command with an https request to your certificated domain/subdomain and you should have the return from your expected html page.

在任何终端上,将curl命令与对您的认证域/子域的https请求一起使用,您应该从预期的html页面获得返回。

翻译自: https://medium.com/@hincapiet.ricardo/tutorial-to-configure-ssl-in-a-haproxy-load-balancer-b452d1be100f

haproxy 负载ssl

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值