SSL的Haproxy acl规则

Question

我需要为SSL配置Haproxy，以便在URL中某些关键字匹配时，它应该转到非SSL端口（8080），对于其余的呼叫，它应该转到SSL端口8443。

我为example.com分配了127.0.0.1，如果URL example.com在浏览器中输入，那么它将localhost指向我的机器。

在前端SSL中，acl规则无法正常工作，因为带有操作的网址＆＃39;报告＆＃39;或者＆＃39; account_management＆＃39;不是指后端proxybackend。即使URL有action = reporting，所有流量都会通过default_backend SSLappAPI。

acl无法正常工作，因为我正在尝试使用非SSL端口进行SSL流量，或者我在以下haproxy配置中遇到任何问题。

非常感谢任何帮助

示例网址：https://example.com/api/?uid=NrpB1vfSR01KVsxw1YI5H4&action=reporting

frontend  main *:80

    acl is_api url_param(action) -i host_check
    use_backend appAPI      if is_api
    default_backend             appUI
    option             forwardfor

frontend ssl
    mode tcp
    bind *:443
    option tcplog
    acl server_ssl urlp_sub(action) -i reporting
    acl server_ssl urlp_sub(action) -i account_management
    acl server_ssl hdr(host) -i example.com
    acl server_ssl hdr_sub(host) -i example.com

    use_backend proxybackend if server_ssl
    default_backend             SSLappAPI
    option             forwardfor

backend appUI
    server      ui-server 127.0.0.1:8080 check maxconn 50#ui <- leave this format to allow for selective script replacement

backend appAPI
    server  api-server 127.0.0.1:8080 check maxconn 750#api <- leave this format to allow for selective script replacement
    timeout http-keep-alive 0s

backend SSLappAPI
    mode tcp
    server  api-server 127.0.0.1:8443 check maxconn 800#ssl <- leave this format to allow for selective script replacement

backend proxybackend
    server proxyserver 127.0.0.1:8080

Answer 1

规则＆＃39; req_ssl_sni＆＃39;做了伎俩。看起来像普通ACL不适用于SSL，这里＆＃39; req_ssl_sni＆＃39;将来救援。

以下是使用相同haproxy的2台SSL服务器的工作代码。下面的代码也适用于SSL证书，无需在haproxy服务器上安装组合的.PEM证书。

前端ssl     mode tcp ssl     绑定*：443     选项tcplog

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

use_backend SSLappAPI if { req_ssl_sni -i anoexample.com }
use_backend proxybackend if { req_ssl_sni -i example.com }

default_backend             SSLappAPI

backend SSLappAPI
mode tcp
server  api-server 127.0.0.1:8443 check maxconn 800#ssl <- leave this format to allow for selective script replacement

backend proxybackend
mode tcp
#option nolinger
option tcplog
balance roundrobin
hash-type consistent
option srvtcpka

# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m

# make sure we cover type 1 (fallback)
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
tcp-response content accept if serverhello

# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello

#option ssl-hello-chk

server proxyserver 127.0.0.2:443