ha 配置ssl_Haproxy ssl 配置方式

通过haproxy redirect请求重定向的方法实现HTTP跳转HTTPS

配置实现http跳转到https，采用redirect重定向的做法，只需在frontend端添加：

frontend http-inbind*:80bind *:443 ssl crt /etc/haproxy/aaa.bbb.pem

redirect scheme https if !{ ssl_fc }

redirect scheme httpsif!{ ssl_fc } 表示所有http站点都会跳转到https，如果只针对某一站点或某一URL进行跳转的话：

redirect scheme https if { hdr_beg(host) -i aaa.bbb.com } !{ ssl_fc }

redirect scheme https if { hdr_reg(host) -i ^[a-zA-Z0-9_]+.aaa.bbb.com } !{ ssl_fc }

当然了，也可以重定向也可以用在backend端：

frontend main *:80default_backend app

backend app

balance roundrobin

server node1127.0.0.1:81 check weight 3 redir http://www.baidu.cn

将访问的站点重定向到www.baidu.com

参考链接：http://blief.blog.51cto.com/6170059/1752669

http://www.cnblogs.com/ilanni/p/4941056.html

---------------------------------------------------------------------------------

1、haproxy 本身提供ssl 证书，后面的web 服务器走正常的http

2、haproxy 本身只提供代理，后面的web服务器https

第一种方式(推荐)

需要编译haproxy 支持ssl，编译参数：

# yum install openssl-devel -y

# wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz

# tar -zxvf haproxy-1.5-dev19.tar.gz ; cd haproxy-1.5-dev19

# make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz

# ldd haproxy|grep ssl

libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fb0485e5000)

# make install PREFIX=/usr/local/haproxy

haproxy.cfg 配置：

global

maxconn 64000

log 127.0.0.1 local0

chroot /usr/share/haproxy

uid 99

gid 99

daemon

nbproc 4

tune.ssl.default-dh-param 2048

defaults

log global

mode http

option dontlognull

retries 3

option redispatch

option httpclose

balance roundrobin

option forwardfor if-none

maxconn 64000

timeout connect 5000

timeout client 50000

timeout server 50000

frontend https_frontend

bind *:443 ssl crt /etc/ssl/certs/servername.pem

acl host_https_ihouse hdr_beg(host) -i ihouse.xxx.com

use_backend yidongclient_server_https if host_https_ihouse

default_backend web_server

frontend http-in

bind *:80

log global

option httplog

option forwardfor

acl host_manager_uhouse hdr_beg(host) -i manager.u.house.comuse_backend manager_uhouse_server if host_manager_uhouse

backend manager_uhouse_server

balance source

option httpchk HEAD /httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com

server mannager_uhouse_48 10.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5

server mannager_uhouse_49 10.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5

backend yidongclient_server_https

balance roundrobin

cookie SERVERID insert indirect nocache

server s1192.168.250.47:80check cookie s1

server s2192.168.250.49:80check cookie s2

注意：这里的pem 文件是下面两个文件合并而成：

# cat servername.crt servername.key|tee servername.pem

按照如上规则如果多个站点就可以使用同样的规则 bind *:443  ssl  crt  $filepath  crt $file2path  crt $file3path

通过以上配置可以看出来，frontend与其相对应的backend可以分开，但是其各自acl规则是不同的，必须放在自己所属的区域下面。

第二种方式配置

不需要重新编译支持ssl，简单方便。需要后面的web服务器配置好ssl 即可。

frontend https_frontend

bind*:443mode tcp

default_backend web_server

backend web_server

mode tcp

balance roundrobin

stick-table type ip size 200k expire 30m

stick on src

server s1192.168.250.47:443server s2192.168.250.49:443注意，这种模式下mode 必须是tcp 模式，经测试 frontend 采用mode tcp时，只认可 default_backend 这一个后端,无法使用acl

haproxy.cfg示例文件：

globalmaxconn64000log127.0.0.1local0

uid99gid99daemon

defaults

logglobalmode http

option dontlognull

retries3option redispatch

option httpclose

balance roundrobin

maxconn64000timeout connect5000timeout client50000timeout server50000frontend yidonghttps-in

bind *:443mode tcp

default_backend yidongclient_server_httpsfrontend http-inbind*:80mode http

logglobaloption httplog

option forwardfor

acl host_manager_uhouse hdr_beg(host)-i manager.u.house.com

use_backend manager_uhouse_serverifhost_manager_uhouse

backend yidongclient_server_https

mode tcp

stick-table type ip size 200k expire 30m

stick on src

option ssl-hello-chk

option httpchk OPTIONS * HTTP/1.1\r\nHost:\ ihouse.ifeng.com

server yidonghttps_168 10.0.10.168:443

backend manager_uhouse_server

balance source

option httpchk HEAD/httpchk.jsp HTTP/1.1\r\nHost:\ manager.u.house.com

server mannager_uhouse_4810.0.10.48:8081 weight 1 check inter 5000 rise 2 fall 5server mannager_uhouse_4910.0.10.49:8081 weight 1 check inter 5000 rise 2 fall 5

参考资料：https://www.trustasia.com/help/haproxy-ssl.htm