HAProxy不识别SSL

时间:2015-08-07 07:24:56

标签: ubuntu ssl openssl haproxy

我在使用HAProxy和OpenSSL时遇到了一些问题..

由于我尝试使用处理HTTPS的负载均衡器创建云服务器,因此我想使用特定版本的HAProxy和OpenSSL。

我的问题是,当我用Openssl编译OpenSSL和HAProxy时,HAProxy不会识别SSL函数。你会发现我在下面使用的不同命令。

编译OpenSSL 1.0.2d

sudo apt-get -y install libssl-dev libpcre3 make
wget https://www.openssl.org/source/openssl-1.0.2d.tar.gz
tar xzvf openssl-1.0.2d.tar.gz
rm openssl-1.0.2d.tar.gz
cd openssl-1.0.2d
./config --prefic=/usr/local --openssldir=/usr/local/ssl --libdir=lib shared
make && make install

编译HAProxy

sudo apt-get install build-essential libpcre3-dev
wget www.haproxy.org/download/1.5/src/haproxy-1.5.14.tar.gz
tar xzvf haproxy-1.5.14.tar.gz
rm haproxy-1.5.14.tar.gz
cd haproxy-1.5.14
make TARGET=linux26 CPU=generic USE_OPENSSL=1 USE_PCRE=1
make install
(apt-get install haproxy) <--- To get HAProxy as a service

然后,当我使用命令haproxy -vv时,我得到:

HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux26
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

在这里,我们看到HAProxy正在使用OpenSSL运行,但是当我使用我的haproxy.cfg文件时:

global
    log localhost local0 notice
    maxconn 2048
    user haproxy
    group haproxy
    tune.ssl.default-dh-param 2048

defaults
    log global
    mode http
    option forwardfor
    option http-server-close
    retries 3
    option redispatch
    timeout connect     5000ms
    timeout client      50000ms
    timeout server      50000ms

frontend http-in
    bind *:80
    maxconn 2048
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    bind *:443 ssl crt /etc/ssl/private/certif.pem
    maxconn 2048
    reqadd X-Forwarded-Proto:\ https
    default_backend internalProxy

# Internal Proxys
backend internalProxy
    balance roundrobin
    # internal proxys

# Test
backend testExternalProxy
    errorfile 503 /root/haproxy/code202.http

# Statistics
listen stats *:8010
    mode http
    log global

    maxconn 10

    timeout connect 100s
    timeout client  100s
    timeout server  100s
    timeout queue       100s

    # Stat page, http://example.com:8010/stats
    stats enable
    stats hide-version
    stats refresh 10s
    stats show-node
    stats uri /stats
    stats realm Strictly\ Private
    stats auth username:password

我收到这些错误:

 * Starting haproxy haproxy                                                     
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:6] : unknown keyword 'tune.ssl.default-dh-param' in 'global' section
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:22] : 'redirect' expects 'code', 'prefix', 'location', 'set-cookie', 'clear-cookie', 'drop-query' or 'append-slash' (was 'scheme').
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:25] : 'bind' only supports the 'transparent', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.
[ALERT] 218/022327 (1780) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 218/022327 (1780) : Fatal errors found in configuration.

它似乎无法识别OpenSSL功能..没有人知道为什么???

提前致谢

1 个答案:

答案 0 :(得分:0)

我刚发现问题..我必须修改启动脚本/etc/init.d/haproxy,告诉它新编译的haproxy二进制文件的位置。

我必须将此行HAPROXY=/usr/sbin/haproxy更改为此HAPROXY=/usr/local/sbin/haproxy

现在可行.. =)