1、Haproxy https实现
haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信,但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现。
#配置HAProxy支持https协议,支持ssl会话;
bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE
#指令 crt 后证书文件为PEM格式,需要同时包含证书和所有私钥
cat demo.key demo.crt > demo.pem
#把80端口的请求重向定443
bind *:80
redirect scheme https if !{ ssl_fc }
#向后端传递用户请求的协议和端口(frontend或backend)
http_request set-header X-Forwarded-Port %[dst_port]
http_request add-header X-Forwared-Proto https if { ssl_fc }
注意:这里的环境是基于前面几篇文章的环境,在上面稍微改动一下。
1.1、准备自签名证书
[root@haproxy ~]# mkdir /etc/haproxy/certs
[root@haproxy ~]# cd /etc/haproxy/certs/
[root@haproxy certs]# openssl genrsa -out www.stars.org.key 2048
[root@haproxy certs]# openssl req -new -x509 -key www.stars.org.key -out www.stars.org.crt -subj "/CN=www.dragon.org"
[root@haproxy certs]# openssl req -x509 -newkey rsa:2048 -subj "/CN=www.dragon.org" -keyout www.stars.org.key -nodes -days 365 -out www.stars.org.crt
[root@haproxy certs]# cat www.stars.org.key www.stars.org.crt > www.stars.org.pem
[root@haproxy certs]# openssl x509 -in www.stars.org.pem -noout -text #查看生成证书的内容
1.2、haproxy中的https的配置
[root@haproxy ~]# vim /etc/haproxy/conf.d/test.cfg
frontend test_http_port
bind 10.0.0.7:80
bind 10.0.0.7:443 ssl crt /etc/haproxy/certs/www.stars.org.pem
redirect scheme https if !{ ssl_fc }
http-request set-header X-forwarded-Port %[dst_port]
http-request add-header X-forwarded-Proto https if { ssl_fc }
mode http
balance roundrobin
log global
option httplog
acl web_domain hdr_dom(host) -i www.stars.org
default_backend web_hosts
backend web_hosts
mode http
server 10.0.0.8 10.0.0.8:80 check inter 2000 fall 3 rise 5
server 10.0.0.18 10.0.0.18:80 check inter 2000 fall 3 rise 5
[root@haproxy ~]# systemctl restart haproxy.service
[root@haproxy ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 10.0.0.7:3306 *:*
LISTEN 0 128 *:6699 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 10.0.0.7:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 10.0.0.7:443 *:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
1.3、准备后端服务及配置
#准备后端的服务
[root@Rs1 ~]#yum -y install httpd;echo 'Server 10.0.0.8' > /var/www/html/index.html;systemctl enable --now httpd #另外一台就把8改成18,方便访问时好分辨
#修改后端服务器的日志格式
[root@Rs1 ~]#vim /etc/httpd/conf/httpd.conf
#找到下面的相对应的行修改成下面内容
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-forwarded-port}i\" \"%{x-forwarded-proto}i\"" combined
[root@Rs1 ~]#systemctl restart httpd #修改后需要重启一下才生效
1.4、验证https
root@ubuntu:~# curl -IkL http://www.stars.org
HTTP/1.1 302 Found
content-length: 0
location: https://www.stars.org/
cache-control: no-cache
HTTP/1.1 200 OK
date: Thu, 05 May 2022 03:40:06 GMT
server: Apache/2.4.37 (centos)
last-modified: Thu, 05 May 2022 01:50:04 GMT
etag: "10-5de39f5f30d23"
accept-ranges: bytes
content-length: 16
content-type: text/html; charset=UTF-8
root@ubuntu:~# curl -Ik https://www.stars.org
HTTP/1.1 200 OK
date: Thu, 05 May 2022 03:40:30 GMT
server: Apache/2.4.37 (centos)
last-modified: Thu, 05 May 2022 01:50:04 GMT
etag: "10-5de39f5f30d23"
accept-ranges: bytes
content-length: 16
content-type: text/html; charset=UTF-8
[root@Rs1 ~]#tail -f /var/log/httpd/access_log
10.0.0.7 - - [05/May/2022:11:40:06 +0800] "HEAD / HTTP/1.1" 200 - "-" "curl/7.58.0" "443" "https"
10.0.0.7 - - [05/May/2022:11:40:30 +0800] "HEAD / HTTP/1.1" 200 - "-" "curl/7.58.0" "443" "https"
10.0.0.7 - - [05/May/2022:11:47:11 +0800] "GET / HTTP/1.1" 200 16 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36" "443" "https"
在浏览器上访问测试 这里的证书无效,因为是自签名的证书是无效的,生产一般要去买ssl的证书,阿里云上面有免费的证书申请,一个账号可以申请20个免费的ssl证书。