强制haproxy到https

时间:2016-02-14 23:52:17

标签: ssl haproxy offloading

我无法让haproxy强制使用https。它适用于http和https。我希望它强制使用443端口。当我尝试使用.htaccess强制它时,它会显示“To many redirects”

这是我的haproxy.cfg:

global 
    log 127.0.0.1 local2 
    maxconn 2048 
    user haproxy 
    group haproxy 
    daemon 
    tune.ssl.default-dh-param 2048 

defaults 
    timeout server 86400000 
    timeout connect 86400000 
    timeout client 86400000 
    timeout queue 1000s 

listen premierdis 
    bind 192.168.1.200:80 
    bind 192.168.1.200:443 ssl crt /root/.ssl/website.com.pem ciphers TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH 
    mode http 
    rspirep ^Location:\ http://(.*):80(.*)  Location:\ https://\1:443\2   if  { ssl_fc } 
    stats enable 
    stats uri /haproxy?stats 
    stats realm STATS 
    stats auth user:pass 
    balance source 
    option http-server-close 
    timeout http-keep-alive 3000 
    reqidel ^X-Real-IP: 
    option forwardfor header X-Real-IP 
    reqadd X-Forwarded-Proto:\ https 
    server srvg-webc-11 192.168.1.21:80 check 
    server srvg-webc-12 192.168.1.22:80 check 
    server srvg-webc-13 192.168.1.23:80 check 

1 个答案:

答案 0 :(得分:2)

如果您将配置拆分为HTTP的一个部分和HTTPS的一个部分,则可以使用HTTP部分中的redirect scheme将客户端重定向为使用HTTPS。

global 
    log 127.0.0.1 local2 
    maxconn 2048 
    user haproxy 
    group haproxy 
    daemon 
    tune.ssl.default-dh-param 2048 

defaults 
    timeout server 86400000 
    timeout connect 86400000 
    timeout client 86400000 
    timeout queue 1000s 

listen premierdis-http
    bind 192.168.1.200:80 
    mode http
    redirect scheme https if !{ ssl_fc }

listen premierdis
    bind 192.168.1.200:443 ssl crt /root/.ssl/website.com.pem ciphers TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH 
    mode http 
    stats enable 
    stats uri /haproxy?stats 
    stats realm STATS 
    stats auth user:pass 
    balance source 
    option http-server-close 
    timeout http-keep-alive 3000 
    reqidel ^X-Real-IP: 
    option forwardfor header X-Real-IP 
    reqadd X-Forwarded-Proto:\ https 
    server srvg-webc-11 192.168.1.21:80 check 
    server srvg-webc-12 192.168.1.22:80 check 
    server srvg-webc-13 192.168.1.23:80 check 

希望有所帮助。