我在使用HAProxy和OpenSSL时遇到了一些问题..
由于我尝试使用处理HTTPS的负载均衡器创建云服务器,因此我想使用特定版本的HAProxy和OpenSSL。
我的问题是,当我用Openssl编译OpenSSL和HAProxy时,HAProxy不会识别SSL函数。你会发现我在下面使用的不同命令。
编译OpenSSL 1.0.2d
sudo apt-get -y install libssl-dev libpcre3 make
wget https://www.openssl.org/source/openssl-1.0.2d.tar.gz
tar xzvf openssl-1.0.2d.tar.gz
rm openssl-1.0.2d.tar.gz
cd openssl-1.0.2d
./config --prefic=/usr/local --openssldir=/usr/local/ssl --libdir=lib shared
make && make install
编译HAProxy
sudo apt-get install build-essential libpcre3-dev
wget www.haproxy.org/download/1.5/src/haproxy-1.5.14.tar.gz
tar xzvf haproxy-1.5.14.tar.gz
rm haproxy-1.5.14.tar.gz
cd haproxy-1.5.14
make TARGET=linux26 CPU=generic USE_OPENSSL=1 USE_PCRE=1
make install
(apt-get install haproxy) <--- To get HAProxy as a service
然后,当我使用命令haproxy -vv时,我得到:
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
在这里,我们看到HAProxy正在使用OpenSSL运行,但是当我使用我的haproxy.cfg文件时:
global
log localhost local0 notice
maxconn 2048
user haproxy
group haproxy
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
retries 3
option redispatch
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
maxconn 2048
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind *:443 ssl crt /etc/ssl/private/certif.pem
maxconn 2048
reqadd X-Forwarded-Proto:\ https
default_backend internalProxy
# Internal Proxys
backend internalProxy
balance roundrobin
# internal proxys
# Test
backend testExternalProxy
errorfile 503 /root/haproxy/code202.http
# Statistics
listen stats *:8010
mode http
log global
maxconn 10
timeout connect 100s
timeout client 100s
timeout server 100s
timeout queue 100s
# Stat page, http://example.com:8010/stats
stats enable
stats hide-version
stats refresh 10s
stats show-node
stats uri /stats
stats realm Strictly\ Private
stats auth username:password
我收到这些错误:
* Starting haproxy haproxy
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:6] : unknown keyword 'tune.ssl.default-dh-param' in 'global' section
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:22] : 'redirect' expects 'code', 'prefix', 'location', 'set-cookie', 'clear-cookie', 'drop-query' or 'append-slash' (was 'scheme').
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:25] : 'bind' only supports the 'transparent', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.
[ALERT] 218/022327 (1780) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 218/022327 (1780) : Fatal errors found in configuration.
它似乎无法识别OpenSSL功能..没有人知道为什么???
提前致谢
答案 0 :(得分:0)
我刚发现问题..我必须修改启动脚本/etc/init.d/haproxy,告诉它新编译的haproxy二进制文件的位置。
我必须将此行HAPROXY=/usr/sbin/haproxy更改为此HAPROXY=/usr/local/sbin/haproxy。
现在可行.. =)