我在两个https网络服务器后面有一个HAProxy。
https://domain1 is proxied to backend A.
https://domain2 is proxied to backend B.
这是配置:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout check 10s
maxconn 3000
frontend http-in
bind *:80
redirect scheme https code 301 if { hdr_end(host) -i domain1 } !{ ssl_fc }
frontend www-https
mode tcp
bind *:443
reqadd X-Forwarded-Proto:\ https
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend perseo_cluster if { req_ssl_sni -i domain1 }
use_backend octopus_cluster if { req_ssl_sni -i domain2 }
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
default_backend perseo_cluster
backend wsServers
mode tcp
server main 10.7.246.12:8884 check
backend octopus_cluster
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server main 10.7.246.12:443 check
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend perseo_cluster
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server stn_perseo 10.0.0.15:443
然而,有时,随机,虽然网址指向B,但结果是A的响应,显然是"未找到"。 我的HAProxy版本是:
# haproxy -v
HA-Proxy version 1.5.4 2014/09/02
也许超时太低了?
修改
调查网络服务器+ modsecurity之后:
--81e40f67-C--
hgmid=bzM5WGYxVHFSbTZ1Z3JHZG1zdlVCZ0VscHdVSWxQV1VEejd3RkxmbitMWT0%2C&newstate=on
--81e40f67-F--
HTTP/1.1 403 **Forbidden**
X-Powered-By: PHP/7.0.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-DEBUGKIT-ID: 2b28f668-aae6-4a1a-98e6-59e093644458
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
--81e40f67-H--
Apache-Handler: php7-script
Stopwatch: 1486483558346278 201154 (- - -)
Stopwatch2: 1486483558346278 201154; combined=30, p1=15, p2=10, p3=0, p4=0, p5=4, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/).
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/7.0.14
Engine-Mode: "ENABLED"
--81e40f67-Z--
--eb53bd50-A--
[07/Feb/2017:17:37:44 +0100] WJn32OG1ZPR@AD3VIR9bqQAAAAA 10.7.246.11 43635 10.7.246.12 443
--eb53bd50-B--
POST /test123/admin/hgms/updatehgmstate HTTP/1.1
Host: iot.mysite.com
Connection: keep-alive
Content-Length: 80
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://iot.mysite.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://iot.mysite.com/test123/admin/hgms/index-home
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: CAKEPHP=p0nim3vv0f230tiug77jop65t5