HAProxy with ssl

  • Category: 電腦相關
  • Last Updated: Saturday, 30 June 2018 10:48
  • Published: Thursday, 28 June 2018 10:57
  • Written by sam
  • Print

常用的HAProxy (主要是想搭上kubernetes…所以才又拿出來…)

haproxy

HAProxy Status

root@ubuntu137:~# uname -a
Linux ubuntu137 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

up to your choice
root@ubuntu137:~# apt-add-repository ppa:vbernat/haproxy-1.8

root@ubuntu137:~# vi /etc/haproxy/haproxy.cfg

root@ubuntu137:~# systemctl start haproxy.service
Failed to start haproxy.service: Unit haproxy.service is masked.

root@ubuntu137:~# systemctl status haproxy.service 
● haproxy.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead) since Thu 2018-06-28 08:55:35 CST; 20min ago
 Main PID: 2064 (code=exited, status=0/SUCCESS)

Jun 28 08:53:35 ubuntu137 systemd[1]: Starting HAProxy Load Balancer...
Jun 28 08:53:35 ubuntu137 systemd[1]: Started HAProxy Load Balancer.
Jun 28 08:53:35 ubuntu137 haproxy-systemd-wrapper[2064]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/ha
Jun 28 08:55:35 ubuntu137 systemd[1]: Stopping HAProxy Load Balancer...
Jun 28 08:55:35 ubuntu137 haproxy-systemd-wrapper[2064]: haproxy-systemd-wrapper: SIGINT -> 2071
Jun 28 08:55:35 ubuntu137 haproxy-systemd-wrapper[2064]: haproxy-systemd-wrapper: exit, haproxy RC=0
Jun 28 08:55:35 ubuntu137 systemd[1]: Stopped HAProxy Load Balancer.

root@ubuntu137:/etc/haproxy# systemctl list-unit-files
haproxy.service                            masked

root@ubuntu137:/etc/haproxy# systemctl unmask haproxy.service 
Removed symlink /etc/systemd/system/haproxy.service.

root@ubuntu137:/etc/haproxy# systemctl start haproxy.service
root@ubuntu137:/etc/haproxy# systemctl status haproxy.service
● haproxy.service - LSB: fast and reliable load balancing reverse proxy
   Loaded: loaded (/etc/init.d/haproxy; bad; vendor preset: enabled)
   Active: active (exited) since Thu 2018-06-28 09:19:49 CST; 5s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 2912 ExecStart=/etc/init.d/haproxy start (code=exited, status=0/SUCCESS)
 Main PID: 2064 (code=exited, status=0/SUCCESS)

Jun 28 09:19:49 ubuntu137 systemd[1]: Starting LSB: fast and reliable load balancing reverse proxy...
Jun 28 09:19:49 ubuntu137 systemd[1]: Started LSB: fast and reliable load balancing reverse proxy.

再來是ssl

HAProxy 有兩種方式

ssl termination

像Amazon Certificate-manager 一樣,把憑證做在 Load Balancers,後端一樣跑http(免費憑證…賺LB的錢…)

ssl passthrough

另一種是直接轉發,後端設定好了憑證

我的設定檔先做第二種(因為原本環境就是https並且自動由http to https)

frontend nginxs_proxy
    bind *:80
    bind *:443
    mode tcp
    default_backend nginx_servers

backend nginx_servers
    mode tcp
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
#    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
# 沒有改fw…內網不同段沒通…所以指定轉到外部去…
    server boredom 114.32.26.139:443 check cookie s1 
#    server web2 172.17.0.4:80 check cookie s2
#下方是stats的設定,auth 改成您要的帳/密
listen stats # Define a listen section called "stats"
  bind :9000 # Listen on localhost:9000
  mode http
  stats enable  # Enable stats page
  stats hide-version  # Hide HAProxy version
  stats realm Haproxy\ Statistics  # Title text for popup window
  stats uri /haproxy_stats  # Stats URI
  stats auth b:c  # Authentication credentials

再來一種設定

因為環境有netdata可以看,設定輪流,只要一個domainname就能輪流連線至不同主機察看

frontend boredom
    mode tcp
    bind :443
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend boredom-https if { req_ssl_sni -i boredom.gotdns.com }
backend boredom-https
    mode tcp
    server boredom 192.168.188.55:443 check
frontend http
    bind :80
    option forwardfor
    acl host_stats hdr_dom(host) -i mon.stats.com
    use_backend netdata if host_stats
backend netdata
    balance roundrobin
    server boredom 192.168.188.55:19999 check
    server myla 192.168.188.66:19999 check

netdata

netdata

弄第一種

建立key(測試用途,就自己產一個
root@ubuntu137:/etc/haproxy# openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:4096 -keyout /etc/haproxy/mon.stats.com.key -out /etc/haproxy/mon.stats.com.pem
root@ubuntu137:/etc/haproxy# cat mon.stats.com.pem mon.stats.com.key > mon.statscom.pem
root@ubuntu137:/etc/haproxy# vi haproxy.cfg
frontend www-http
   bind *:80
   reqadd X-Forwarded-Proto:\ http
   default_backend www-backend

frontend www-https
   bind *:443 ssl crt /etc/haproxy/mon.statscom.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend www-backend

backend www-backend
   redirect scheme https if !{ ssl_fc }
   server boredom 192.168.188.55:19999 check
   server myla 192.168.188.66:19999 check

當然紅色警告是因為自產憑證的關係