我想将流量vom:https://demo2.company.com:8443转发到内部地址10.11.0.6:https://10.11.0.6:8443
502 Bad Gateway错误:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2048
tune.ssl.default-dh-param 2048
tune.maxrewrite 4096
user haproxy
group haproxy
# Default SSL material locations
ca-base /etc/ssl/certs/data.company.com/company.com.crt
crt-base /etc/ssl/certs/data.company.com/company.com.key
daemon
defaults
log global
mode http
option forwardfor
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2048
frontend cloud.company.com
bind *:8443 ssl crt /etc/ssl/certs/data.company.com/company.com.pem
http-request add-header X-forwarded-Proto: https
http-request add-header X-forwarded-Port: 8443
http-response add-header Strict-Transport-Security: max-age=15768000
log-format "%ci:%cp [%[src,map_ip(/etc/haproxy/haproxy_geo_ip.txt)]] [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
# --- GEO Block
acl acl_geoloc_block src,map_ip(/etc/haproxy/haproxy_geo_ip.txt) -m reg -i (CH|AT|DE|IT|FR)
use_backend block_geo if !acl_geoloc_block
# ---
acl is_demo1 ssl_fc -i demo1.company.com #10.11.0.2
acl is_demo2 ssl_fc -i demo2.company.com #10.11.0.6
use_backend demo1 if is_demo1
use_backend demo2 if is_demo2
backend block_geo
timeout tarpit 5s
errorfile 404 /etc/haproxy/errors/403.http
http-request tarpit deny_status 404
backend demo1
mode http
server demo1 10.11.0.2:8443 check
backend demo2
redirect scheme https if !{ ssl_fc }
server demo2 10.11.0.6:8443 check
字符串
我想是SSL的问题吧?
我想在前端使用我自己的SSL。他不应该从后端服务器显示SSL
我尝试不同的SSL命令,但总是相同的错误。我想从后端服务器获取http内容
1条答案
按热度按时间laawzig21#
我注意到两件事:
acl is_demo1 ssl_fc -i demo1.company.com #10.11.0.2
这些字符串看起来很奇怪,可能与您认为的不匹配。ssl_fc
是布尔值,仅表示连接是否通过SSL。ssl_fc_sni
可以根据您的域匹配SNI,但haproxy手册建议依赖HTTP头host
,例如acl is_demo1 hdr(host) -i demo1.company.com
1.假设您的后端通过HTTPS提供内容,它们的
server
行缺少ssl
关键字,例如server demo2 10.11.0.6:8443 check ssl verify none
或server demo2 10.11.0.6:8443 check ssl verify required ca-file /path/to/ca/file
可能需要一些其他SSL相关选项(例如
sni demo2.company.com
)才能使后端正常工作