Haproxy安裝ssl憑證,後端server使用http。
當使用者使用http會自動轉為https,根據url指向定義的server。
global
log 127.0.0.1 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers DES:RC4:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!ADH-RC4-MD5:!ECDHE-RSA-RC4-SHA:!AECDH-RC4-SHA
mode http
log global
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#管理頁面
listen stats
bind 0.0.0.0:8181
stats enable
stats hide-version
stats uri /admin
stats auth admin:admin
stats admin if TRUE
stats refresh 30s
#http轉https
frontend http
bind *:80redirect scheme https code 301 if !{ ssl_fc }
#https
frontend https_switch
bind *:443 ssl crt /etc/pki/CA/CA.pem
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
#ACL
acl url_testsite ssl_fc_sni testsite.com
use_backend url_testsite if url_testsite
acl url_portal ssl_fc_sni -i portal.com
use_backend url_portal if url_portal
#log-format
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
backend url_testsite
mode http
balance roundrobin
option httpclose
option forwardfor
cookie SRVERID insert nocache
server testserver1 192.168.11.11:80 check inter 3000 rise 3 fall 5
server testserver2 192.168.11.12:80 check inter 3000 rise 3 fall 5 backup
#backup為備援參數,當testserver1異常才會使用
backend url_portal
mode http
balance roundrobin
option httpclose
option forwardfor
cookie SRVERID insert nocache
server webserver1 192.168.11.21:80 check inter 3000 rise 3 fall 5
server webserver2 192.168.11.22:80 check inter 3000 rise 3 fall 5 backup
參考資料
haproxy生产环境的一个完整配置
沒有留言:
張貼留言
注意:只有此網誌的成員可以留言。