HAProxy HTTPS奇怪的行为

时间:2017-02-03 13:43:20

标签: https haproxy

我在两个https网络服务器后面有一个HAProxy。

https://domain1 is proxied to backend A.
https://domain2 is proxied to backend B.

这是配置:

global   
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
defaults
    mode                    http
    log                     global
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout check           10s
    maxconn                 3000
frontend http-in
        bind *:80
        redirect scheme https code 301 if { hdr_end(host) -i domain1 } !{ ssl_fc }

frontend  www-https
    mode tcp
    bind *:443
    reqadd X-Forwarded-Proto:\ https
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend perseo_cluster if { req_ssl_sni -i domain1  }
    use_backend octopus_cluster if { req_ssl_sni -i domain2 }
    acl is_websocket hdr(Upgrade) -i WebSocket
    use_backend wsServers if is_websocket
    default_backend             perseo_cluster

backend wsServers
 mode tcp
 server  main  10.7.246.12:8884 check
backend octopus_cluster
  mode tcp
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk
  server  main  10.7.246.12:443 check

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend perseo_cluster
    mode tcp
    stick-table type binary len 32 size 30k expire 30m
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2
    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello
    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello
    stick on payload_lv(43,1) if clienthello
    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello
    option ssl-hello-chk
    server stn_perseo 10.0.0.15:443

然而,有时,随机,虽然网址指向B,但结果是A的响应,显然是"未找到"。 我的HAProxy版本是:

# haproxy -v
HA-Proxy version 1.5.4 2014/09/02

也许超时太低了?

修改

调查网络服务器+ modsecurity之后:

--81e40f67-C--
hgmid=bzM5WGYxVHFSbTZ1Z3JHZG1zdlVCZ0VscHdVSWxQV1VEejd3RkxmbitMWT0%2C&newstate=on
--81e40f67-F--
HTTP/1.1 403 **Forbidden**
X-Powered-By: PHP/7.0.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-DEBUGKIT-ID: 2b28f668-aae6-4a1a-98e6-59e093644458
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

--81e40f67-H--
Apache-Handler: php7-script
Stopwatch: 1486483558346278 201154 (- - -)
Stopwatch2: 1486483558346278 201154; combined=30, p1=15, p2=10, p3=0, p4=0, p5=4, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/7.0.14
Engine-Mode: "ENABLED"

--81e40f67-Z--

--eb53bd50-A--
[07/Feb/2017:17:37:44 +0100] WJn32OG1ZPR@AD3VIR9bqQAAAAA 10.7.246.11 43635 10.7.246.12 443
--eb53bd50-B--
POST /test123/admin/hgms/updatehgmstate HTTP/1.1
Host: iot.mysite.com
Connection: keep-alive
Content-Length: 80
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://iot.mysite.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://iot.mysite.com/test123/admin/hgms/index-home
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: CAKEPHP=p0nim3vv0f230tiug77jop65t5

0 个答案:

没有答案