终止时,HAProxy无法重定向到HTTPS

时间:2018-02-22 20:26:05

标签: reverse-proxy haproxy

我想为两台服务器设置HAProxy - 一台带有终端的passthroug服务器。我之前没有HAProxy的经验,但是我无法为终止版本进行HTTPS重定向 - 我得到502.这是配置:

#Upgrades the passthrough and check for Let's Encrypt
frontend http_front
    bind :80
    option forwardfor
    acl host_s1 hdr(host) -i s1.example.com
    acl path_le path_beg -i /.well-known/acme-challenge/
    redirect scheme https code 301 if host_s1 !path_le
    use_backend acmetool if path_le
    default_backend http-back

#Handles the passthrough and loopsback to itself for other domains
frontend passthrough
    mode tcp
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend service1 if { req_ssl_sni -i s1.example.com }
    default_backend https-back

#Loopback to handle the termination domains
frontend https-front
    bind 127.0.0.1:8443 ssl crt s2.example.com.pem
    option forwardfor
    reqdel X-Forwarded-Proto
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    use_backend service2 if { req_ssl_sni -i s2.example.com }
    default_backend service2

#returns for second pass from HTTP
backend http-back
    server https-front 127.0.0.1:8443

#returns for second pass from HTTPS
backend https-back
    mode tcp
    server https-front 127.0.0.1:8443

backend service1
    mode tcp
    server service1 127.0.0.1:8888

backend service2
    #redirect scheme https code 301 if !{ ssl_fc }
    server server2 server2:80

backend acmetool
    server acmetool 127.0.0.1:81

我不确定reqdel/reqadd中是否需要这些https-front。或者,如果我必须在第二次通过HTTPS时再次tcp-request

取消注释后端的重定向也无济于事。

1 个答案:

答案 0 :(得分:0)

我能够用一些Problem来解决这个问题。

以下是具有更新名称的最终设置,以更好地反映每个名称背后的逻辑:

#Upgrades to HTTPS unless it's Let's Encrypt
frontend http
    bind :80
    option forwardfor
    redirect scheme https code 301 if !{ path_beg -i /.well-known/acme-challenge/ }
    default_backend acmetool

#Handles the passthrough and loopsback for termination
frontend passthrough
    mode tcp
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend service1 if { req_ssl_sni -i s1.example.com }
    default_backend loopback

#Handles the termination domains on second pass
frontend termination
    bind 127.0.0.1:8443 ssl crt s2.example.com.pem
    option forwardfor
    reqdel X-Forwarded-Proto
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    use_backend service2 if { ssl_fc_sni -i s2.example.com }
    default_backend service2

#Loopback for second pass
backend loopback
    mode tcp
    server https-front 127.0.0.1:8443

backend service1
    mode tcp
    server service1 127.0.0.1:8888

backend service2
    server server2 server2:80

backend acmetool
    server acmetool 127.0.0.1:81
相关问题
最新问题