ssl HAProxy返回502 Bad Gateway

xdnvmnnf  于 2023-11-18  发布在  HAProxy
关注(0)|答案(1)|浏览(179)

我想将流量vom:https://demo2.company.com:8443转发到内部地址10.11.0.6:https://10.11.0.6:8443
502 Bad Gateway错误:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn 2048
    tune.ssl.default-dh-param   2048
    tune.maxrewrite             4096
    user haproxy
    group haproxy
    # Default SSL material locations
    ca-base /etc/ssl/certs/data.company.com/company.com.crt
    crt-base /etc/ssl/certs/data.company.com/company.com.key
    daemon

defaults
    log                     global
    mode                    http
    option                  forwardfor
    option                  http-server-close
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 2048

frontend cloud.company.com
    bind *:8443 ssl crt /etc/ssl/certs/data.company.com/company.com.pem
    http-request add-header X-forwarded-Proto: https
    http-request add-header X-forwarded-Port: 8443
    http-response add-header Strict-Transport-Security: max-age=15768000

    log-format "%ci:%cp [%[src,map_ip(/etc/haproxy/haproxy_geo_ip.txt)]] [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"

# --- GEO Block
    acl acl_geoloc_block src,map_ip(/etc/haproxy/haproxy_geo_ip.txt) -m reg -i (CH|AT|DE|IT|FR)
    use_backend block_geo if !acl_geoloc_block
# ---
    
    acl is_demo1 ssl_fc -i demo1.company.com   #10.11.0.2
    acl is_demo2 ssl_fc -i demo2.company.com   #10.11.0.6

    use_backend demo1 if is_demo1
    use_backend demo2 if is_demo2

backend block_geo
    timeout tarpit 5s
    errorfile 404 /etc/haproxy/errors/403.http
    http-request tarpit deny_status 404

backend demo1
    mode http
    server demo1 10.11.0.2:8443 check

backend demo2
    redirect scheme https if !{ ssl_fc }
    server demo2 10.11.0.6:8443 check

字符串
我想是SSL的问题吧?
我想在前端使用我自己的SSL。他不应该从后端服务器显示SSL
我尝试不同的SSL命令,但总是相同的错误。我想从后端服务器获取http内容

laawzig2

laawzig21#

我注意到两件事:

  1. acl is_demo1 ssl_fc -i demo1.company.com #10.11.0.2这些字符串看起来很奇怪,可能与您认为的不匹配。ssl_fc是布尔值,仅表示连接是否通过SSL。ssl_fc_sni可以根据您的域匹配SNI,但haproxy手册建议依赖HTTP头host,例如acl is_demo1 hdr(host) -i demo1.company.com
    1.假设您的后端通过HTTPS提供内容,它们的server行缺少ssl关键字,例如server demo2 10.11.0.6:8443 check ssl verify noneserver demo2 10.11.0.6:8443 check ssl verify required ca-file /path/to/ca/file
    可能需要一些其他SSL相关选项(例如sni demo2.company.com)才能使后端正常工作

相关问题