haproxy可以实现https的证书安全,从用户搭配haproxy为https,从haproxy到后端服务器通信,但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现
证书制作
#生成证书方法1:
[root@cen7_17 ~]# mkdir /etc/haproxy/certs
[root@cen7_17 ~]# cd /etc/haproxy/certs/
[root@cen7_17 certs]# openssl req -x509 -newkey rsa:2048 -subj "/CN=www.yzl.org" -keyout haproxy.key -nodes -days 365 -out haproxy.crt
Generating a 2048 bit RSA private key
..+++
........................+++
writing new private key to 'haproxy.key'
-----
[root@cen7_17 certs]# ls
haproxy.crt haproxy.key
[root@cen7_17 certs]# cat haproxy.key haproxy.crt > haproxy.pem
[root@cen7_17 certs]# openssl x509 -in haproxy.pem -noout -text #查看证书
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f0:ab:1e:b6:d3:bb:30:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=www.yzl.org
Validity
Not Before: Jun 24 02:01:53 2021 GMT
Not After : Jun 24 02:01:53 2022 GMT
Subject: CN=www.yzl.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:8d:de:bc:1c:6a:05:33:8f:30:2c:ff:b2:37:
a5:63:15:22:e9:38:57:5c:14:78:af:7b:b0:a8:8c:
02:f4:89:a0:9c:e7:a2:77:df:3f:a4:92:10:75:24:
69:9c:cb:b9:c1:27:fd:ee:a5:03:e2:df:02:e2:ea:
29:87:00:d3:cc:a7:ee:54:27:ed:48:d9:5a:4e:93:
11:8e:d7:bf:8d:db:c2:3e:11:29:eb:a5:ca:c3:4a:
ec:8b:a3:f6:4d:a5:3f:de:61:40:8c:0c:dc:13:75:
cb:88:2f:5d:ab:e4:0a:9e:6d:72:cc:0c:ac:54:2b:
a0:bd:83:9c:63:e3:7b:49:b3:2a:eb:f7:bb:7d:b2:
0e:ae:f1:81:02:47:c2:b2:ca:83:72:08:7f:aa:52:
f6:78:82:2f:bf:55:33:27:00:b7:3e:56:cf:1f:c3:
b4:08:60:e1:cb:d2:bd:a0:9a:cc:47:ce:d9:2a:9d:
7c:8e:6e:bb:6a:4c:ae:87:71:67:54:0d:e5:cc:9e:
53:4b:66:c1:6b:f1:45:c3:16:95:e8:f6:e1:3d:39:
07:d8:1a:93:86:2f:e9:48:bb:53:5b:8d:81:a5:58:
9a:e4:10:9b:6e:0c:1e:c5:1c:69:02:7a:f1:99:c2:
df:6a:b7:f5:49:8a:b2:5c:a9:e6:9b:cc:d7:31:df:
5b:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
51:8D:A3:0B:1F:58:89:DE:D5:6F:94:8A:F5:9B:05:0A:43:94:26:C5
X509v3 Authority Key Identifier:
keyid:51:8D:A3:0B:1F:58:89:DE:D5:6F:94:8A:F5:9B:05:0A:43:94:26:C5
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
9f:b4:ac:5c:bc:60:43:4a:34:df:e4:b3:2d:8d:b1:7c:6f:6b:
cf:a5:16:2b:b1:05:77:1e:9b:42:3d:51:cd:8e:30:14:a6:79:
b2:31:59:f4:05:6a:60:42:38:91:fe:5d:7f:3b:7a:c7:10:51:
7f:84:de:d4:33:2c:fc:85:92:1a:3d:e0:a9:e7:7d:58:77:12:
42:30:c5:cb:e6:85:6a:04:c5:0d:61:c1:f8:c4:4c:ba:1f:5a:
d5:a9:cc:35:fd:8f:dc:3d:62:4a:a9:79:99:89:d6:8f:d1:1d:
d8:6f:43:1a:e3:f3:c2:8c:ea:c3:6c:be:63:52:f0:64:2d:a8:
a7:94:06:51:fc:e4:5d:67:ec:01:d4:72:e7:99:1e:bc:c0:08:
7b:39:33:74:6d:85:78:76:ef:a4:c3:a7:6d:96:fc:32:5d:04:
58:7e:28:8b:df:19:6e:f9:da:d0:e6:20:e9:1d:85:43:a0:ff:
ba:6e:85:39:12:d8:21:9b:9d:72:fb:37:53:7a:9b:f4:a9:3e:
f1:c5:33:6e:5d:11:34:c6:55:a8:82:e2:74:59:0b:bc:33:3b:
86:bd:46:40:5e:80:21:e0:9f:eb:7d:4e:d9:89:77:05:74:0e:
29:59:19:6b:6e:47:8f:f5:1b:5c:e9:71:aa:cd:39:4f:f4:b6:
75:64:5a:d5
[root@cen7_17 certs]# #生成证书方法2:
[root@cen7_17 ~]# mkdir /etc/haproxy/certs
[root@cen7_17 ~]# cd /etc/pki/tls/certs/
[root@cen7_17 certs]# vim Makefile
%.key:
umask 77 ; \
/usr/bin/openssl genrsa $(KEYLEN) > $@ #把-aes128去掉,免密码
[root@cen7_17 certs]# make /etc/haproxy/certs/haproxy.crt
umask 77 ; \
/usr/bin/openssl genrsa 2048 > /etc/haproxy/certs/haproxy.key
Generating RSA private key, 2048 bit long modulus
..+++
..........+++
e is 65537 (0x10001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/haproxy/certs/haproxy.key -x509 -days 365 -out /etc/haproxy/cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:yy
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.yy.com
Email Address []:
[root@cen7_17 certs]#
[root@cen7_17 certs]# cd /etc/haproxy/certs/
[root@cen7_17 certs]# ls
haproxy.crt haproxy.key
[root@cen7_17 certs]# cat haproxy.key haproxy.crt > haproxy.pemHTTP配置
[root@cen7_17 ~]# cat /etc/haproxy/conf.d/tt.cfg
frontend web_80
bind 10.0.0.17:80
bind 10.0.0.17:443 ssl crt /etc/haproxy/certs/haproxy.pem
redirect scheme https if !{ ssl_fc } #注意{ }内的空格
use_backend web_web1
backend web_web1
balance roundrobin
server 10.0.0.40 10.0.0.40:80 check
server 10.0.0.50 10.0.0.50:80 check
backend web_web2
server 10.0.0.50 10.0.0.50:80 check
[root@cen7_17 ~]#
测试
[root@cen7_17 ~]# curl -k https://10.0.0.17
10.0.0.40
web1
[root@cen7_17 ~]# curl -k https://10.0.0.17
10.0.0.50
web2
[root@cen7_17 ~]#
[root@cen7_17 ~]# curl http://10.0.0.17 -I
HTTP/1.1 302 Found
content-length: 0
location: https://10.0.0.17/
cache-control: no-cache
[root@cen7_17 ~]#修改httpd后端服务器的日志格式
#后端服务器的日志格式配置
[root@cent8_yzl_40 ~]# vim /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\" " combined
[root@cent8_yzl_40 ~]# tail /var/log/httpd/access_log -f
10.0.0.17 - - [24/Jun/2021:17:48:35 +0800] "GET / HTTP/1.1" 200 10 "-" "curl/7.29.0" "10.0.0.27"
1192
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
