haproxy:获取主机名

时间:2017-04-27 21:10:27

标签: http https haproxy

我正在尝试获取请求者host / ip,因为它涉及haproxy节点。 我的haproxy配置如下:

frontend www-http
    bind *:9000
    http-request redirect location https://%fi:9143

frontend www-https
    bind *:9143 ssl crt /root/keys.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend www-backend

backend www-backend
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server server1 1.1.1.1:9080 cookie server1 weight 1 maxconn 1024 check

所以在这里,如果有任何http请求,那么我需要转发到https。 现在请求可以使用完全限定形式的ip地址或主机名,例如

http://10.10.10.10:9000

这需要转发到https://10.10.10.10:9143

同样,请求可能以完全限定的形式出现主机名,例如

http://myhost.domain.com:9000

这需要转发到https://myhost.domain.com:9143

基本上是10.10.10.10,myhost.domain.com是同一个系统。

现在使用上面的haproxy配置,我无法得到以下内容,因为它是%fi(frontend_ip),所以它重定向到https://10.10.10.10:9143

所以我的问题是如何在haproxy上获得haproxy节点的ip / host。

我尝试了以下选项,但没有效果:

http-request redirect location https://%f:9143
http-request redirect location https://%[req.hdr(Host)]:9143

来自https://www.haproxy.com/doc/aloha/7.0/haproxy/log_format_rules.html

2 个答案:

答案 0 :(得分:0)

您可以通过src var获取源地址。 Haproxy将请求者IP保存在此下,并且可以在acl和其他地方使用。

对于日志记录,请按以下方式使用它:%[src]

查看以下链接:srcfetching-samples(under layer 4)

答案 1 :(得分:0)

有关其他详细信息,请参阅How do I set a dynamic variable in HAProxy?,但以此为基础,以下内容适用于您:

frontend www-http
    bind *:9000

    # Redirect user from http port to https port
    http-request set-var(req.hostname) req.hdr(Host),field(1,:),lower
    http-request redirect code 301 location https://%[var(req.hostname)]:9143 if !{ ssl_fc }

frontend www-https
    bind *:9143 ssl crt /root/keys.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend www-backend

backend www-backend
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server server1 1.1.1.1:9080 cookie server1 weight 1 maxconn 1024 check

我的情况有点不同,因为我只想重定向统计信息用户界面网址,因此我没有必要更新内部文档中的每个统计信息网址。这是适用于我的情况(如果它帮助其他人):

userlist stats-auth
    group admin users adminuser
    group readonly users readonlyuser

    # Passwords created via mkpasswd -m sha-512 PASSWORD_HERE
    user adminuser password NOT_REAL_PASSWORD
    user readonlyuser password NOT_REAL_PASSWORD

listen stats

    # Used just for the initial connection before we redirect the user to https
    bind *:4711

    # Combined file containing server, intermediate and root CA certs along
    # with the private key for the server cert.
    bind *:4712 ssl crt /etc/ssl/private/my-site-name_combined_cert_bundle_with_key.pem

    option dontlognull
    mode http
    option httplog

    # Redirect user from http port to https port
    http-request set-var(req.hostname) req.hdr(Host),field(1,:),lower
    http-request redirect code 301 location https://%[var(req.hostname)]:4712/ if !{ ssl_fc }

    acl AUTH            http_auth(stats-auth)
    acl AUTH_ADMIN      http_auth_group(stats-auth) admin

    stats enable

    # The only "site" for using these ports is the admin UI, so use '/' as
    # the base path instead of requiring something like '/haproxy_stats' or
    # '/stats' in order to display the UI.
    stats uri /

    # Force a login if not already authenticated
    stats http-request auth unless AUTH

    # Allow administrator functionality if user logged in using admin creds
    # (there are separate read-only username and password pairs)
    stats admin if AUTH_ADMIN

我遗漏了前端和后端配置,因为它们更长/更详细。

相关问题
最新问题