Openshift上的HAProxy https以非本地齿轮的重定向循环结束

时间:2016-01-12 14:52:14

标签: redirect ssl https openshift haproxy

我有一个带有HAProxy Web Load Balancer的Tomcat 7(JBoss EWS 2.0)应用程序。当只有一台服务器正在运行时,Https工作正常但是只要我添加另一台服务器(通过将最小齿轮数设置为2),就会出现问题。

我在连接时检查了GEAR cookie,并且只要本地设备local-569aaabf0c1e661db1000004建立了连接,但569aadaa89f5cff3c9000058-petrfox GEAR cookie就会出错。

问题在于,每次尝试连接(由负载均衡器重定向)到新启动的设备,都以302重定向循环结束(通过访问https://dftestapp-petrfox.rhcloud.com/我得到302带标题位置:{{3 }})。

您可以在上面的链接上尝试 - 如果页面加载,只需删除GEAR cookie并刷新,这次很可能会重定向到另一个齿轮。

生成的HAProxy配置(haproxy.cfg)是

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events.  This is done
#    by adding the '-r' option to the SYSLOGD_OPTIONS in
#    /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
#   file. A line like the following can be added to
#   /etc/sysconfig/syslog
#
#    local2.*                       /var/log/haproxy.log
#
#log         127.0.0.1 local2

maxconn     256

# turn on stats unix socket
stats socket /var/lib/openshift/569aaabf0c1e661db1000004/haproxy//run/stats level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode                    http
log                     global
option                  httplog
option                  dontlognull
option http-server-close
#option forwardfor       except 127.0.0.0/8
option                  redispatch
retries                 3
timeout http-request    10s
timeout queue           1m
timeout connect         10s
timeout client          1m
timeout server          1m
timeout http-keep-alive 10s
timeout check           10s
maxconn                 128

listen stats 127.7.244.3:8080
mode http
stats enable
stats uri /

listen express 127.7.244.2:8080

cookie GEAR insert indirect nocache
option httpchk GET /
http-check expect rstatus 2..|3..|401

balance leastconn
server gear-569aadaa89f5cff3c9000058-petrfox ex-std-node827.prod.rhcloud.com:56761 check fall 2 rise 3 inter 2000 cookie 569aadaa89f5cff3c9000058-petrfox
server local-gear 127.7.244.1:8080 check fall 2 rise 3 inter 2000 cookie local-569aaabf0c1e661db1000004

我试图在我的应用中关闭强制https(通过删除applicationContext-security.xml中的<intercept-url pattern="/**" requires-channel="https"/>),仅使用http并且它有效。因此,我认为必须有一些更多的https配置。但我的问题是我需要配置的位置和内容?我觉得很奇怪,它不适用于生成的配置,因为负载平衡是为什么选择Openshift和https在某些情况下必须具备的原因。当你被重定向到本地设备时,一切顺利,这也很奇怪。

我没有找到任何有帮助的材料。你能帮我解决这个问题吗?

更新:我不知道问题出在哪里,但可能是在服务器的设置中。这是配置文件server.xml(我从未改变过)

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="-1" shutdown="SHUTDOWN">
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->
    <Connector address="${OPENSHIFT_JBOSSEWS_IP}"
               port="${OPENSHIFT_JBOSSEWS_HTTP_PORT}"
               protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443"/>

    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /-->


    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="false" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- RemoteIp valve, pass protocol header from proxy. -
            http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
        -->

        <Valve
          className="org.apache.catalina.valves.RemoteIpValve"
          protocolHeader="x-forwarded-proto"
        />

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <!--
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
        -->
      </Host>
    </Engine>
  </Service>
</Server>

1 个答案:

答案 0 :(得分:0)

我遇到了与Too many redirects和可扩展的Tomcat设备类似的问题。 您可以尝试配置server.xmlweb.xml,因为Tomcat的技术常见问题建议: How do I redirect traffic to HTTPS

不幸的是,它对我来说效果不佳。如果我的应用只有一个装备,一切都运行正常 - http流量被重定向到https。但是,当我打开应用程序缩放并启动第二个齿轮时,每次重新部署后都会出现太多重定向错误。

我无法解决这个问题。我最终使用默认的Tomcat配置并将不安全的流量重定向到我应用程序控制器中的https(受技术常见问题解答对Node.js here的回答的启发)。现在一切都很好。