haproxy - 我如何转移https流量?

时间:2015-02-14 03:21:45

标签: apache haproxy centos7

我在端口80 apache服务器上的同一台服务器上作为虚拟主机运行,另一台TCP服务器在端口8888上实时运行。

使用haproxy(到bind :443 ssl crt all.pem ciphers ECDHE)我能够使端口8888正常工作,但我现在如何将https://www.stackoverflow.comhttps://www.google.com流量转移到apache端口80?

backend api
    balance roundrobin
    server  service 127.0.0.1:8888 weight 1 maxconn 2500 check

backend www_stackoverflow_com
    balance roundrobin
    cookie SERVERID insert nocache indirect
    option httpchk HEAD /check.txt HTTP/1.0
    option httpclose
    option forwardfor
    server Server1 www.stackoverflow.com:80 cookie Server1
    server Server2 10.1.1.2:80 cookie Server2

backend www_google_com
    balance roundrobin
    cookie SERVERID insert nocache indirect
    option httpchk HEAD /check.txt HTTP/1.0
    option httpclose
    option forwardfor
    server Server1 www.google.com:80 cookie Server1
    server Server2 192.168.5.2:80 cookie Server2

1 个答案:

答案 0 :(得分:0)

您可以使用以下内容。请有人更新此版本以进行优化。

##############################################
# Global
##############################################
global
    log 127.0.0.1 local0 debug
    #log 127.0.0.1 local2 info
    maxconn 8000
    user    haproxy
    group   haproxy

##############################################
# Defaults
##############################################
defaults
    log     global
    option  httplog
    option  dontlognull
    option  http-server-close
    option  redispatch
    retries 3
    mode    http
    maxconn         5000
    timeout connect  5s
    timeout client  30s
    timeout server  30s
    timeout tunnel  12h

##############################################
# Frontend - receive http transfer as https
# It creates a frontend that listens on port 8881, 
# sets x-forwarded-for and 
# redirects all requests on HTTP to their equivalent on HTTPS
# 30 defines a frontend named www, 
# 31 has it listen on port 8881,
# 32 has it insert x-forwarded-for: <client ip>, 
# 33 redirects to the same location using https if the connection is not ssl
##############################################
frontend www
    bind     :8881
    option   forwardfor
    redirect scheme https if !{ ssl_fc }

##############################################
# Frontend
##############################################
frontend lb
##############################################
# Chiphers:
# -------------------------------------------
# ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
# AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
# SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
# AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
# SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
# AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-
# RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-
# RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
#
##############################################
    bind   :443 ssl crt /root/all.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
    option forwardfor
    reqadd X-Forwarded-Proto:\ https
    default_backend  api

    #acl is_websocket     hdr(Upgrade)  -i WebSocket
    acl is_api            hdr_beg(Host) -i api
    acl is_freeswitch     hdr(Host)     -i ws.A.com
    acl is_turn           hdr(Host)     -i turn.A.com
    acl is_realtime       hdr(Host)     -i realtime.A.com
    acl is_interpretation hdr(Host)     -i B.A.com
    acl is_B              hdr(Host)     -i B.A.com

    acl is_talk           hdr(Host)     -i talk.A.com
    acl is_italk          hdr(Host)     -i italk.A.com
    acl is_video          hdr(Host)     -i video.A.com

    acl is_js             hdr(Host)     -i js.A.com
    acl is_sip            hdr(Host)     -i sip.A.com
    acl is_demo           hdr(Host)     -i demo.A.com
    acl is_chat           hdr(Host)     -i chat.A.com
    acl is_vnc            hdr(Host)     -i vnc.A.com    

    use_backend           turn            if is_turn
    use_backend           api             if is_api
    use_backend           realtime        if is_realtime
    use_backend           interpretation  if is_interpretation
    use_backend           B               if is_B   
    use_backend           freeswitch      if is_freeswitch

    use_backend           talk            if is_talk
    use_backend           talk            if is_italk
    use_backend           talk            if is_video
    use_backend           js              if is_js
    use_backend           js              if is_sip    
    use_backend           js              if is_demo
    use_backend           chat            if is_chat
    use_backend           vnc             if is_vnc

##############################################
# Backend - TCP PORTS
# 8888 = signal master
# 3000 = realtime
# 3001 = interpretation
# 3002 = ??
# 3003 = B
# 5066 = freeswitch
##############################################
backend api
    balance roundrobin
    server  service 127.0.0.1:8888 weight 1 maxconn 2500 check

backend turn
    balance roundrobin
    server  service 127.0.0.1:8888 weight 1 maxconn 2500 check

backend realtime
    balance roundrobin
    server  service 127.0.0.1:3000 weight 1 maxconn 2500 check

backend interpretation
    balance roundrobin
    server  service 127.0.0.1:3001 weight 1 maxconn 2500 check

backend B
    balance roundrobin
    server  service 127.0.0.1:3003 weight 1 maxconn 2500 check

backend freeswitch
    balance roundrobin
    server  service 127.0.0.1:5066 weight 1 maxconn 2500 check

backend talk
    mode http
    balance roundrobin    
    #option httpclose
    option forceclose
    server  service talk.A.com:80 weight 1 maxconn 2500 check

backend js
    balance roundrobin
    mode http
    #option httpclose
    option forceclose
    server  service js.A.com:80 weight 1 maxconn 2500 check

backend chat
    balance roundrobin
    mode http
    #option httpclose
    option forceclose
    server  service chat.A.com:80 weight 1 maxconn 2500 check

backend vnc
    balance roundrobin
    mode http
    #option httpclose
    option forceclose
    server  service vnc.A.com:80 weight 1 maxconn 2500 check