send-proxy在SSL直通haproxy上失败

时间:2018-08-04 10:36:06

标签: docker ssl haproxy traefik

我想在Haproxy上使用ssl-passthrough将流量路由到traefik。 这可行,但是我想知道谁在发出请求。 haproxy文档说我必须使用send-proxy。这适用于http,但不适用于https。 Traefik已启用代理协议。

Firefox报告SSL_ERROR_RECORD_OVERFLOW_ALERT

Chrome浏览器说ERR_SSL_PROTOCOL_ERROR

Traefik日志显示:

msg="http: TLS handshake error from haproxy_ip:51206: tls: oversized record received with length 22617"

我在配置中错过了什么吗?

我的haproxy配置:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log     global
    option  tcplog
    mode    tcp

    timeout connect 1s
    timeout client  20s
    timeout server  20s
    timeout client-fin 20s
    timeout tunnel 1h
    #option httplog
    #option dontlognull
    #timeout connect 5000
    #timeout client  50000
    #timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http

    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
    bind *:80
    option http-server-close
    option forwardfor
    default_backend http_back

backend http_back
    balance roundrobin
    server private_server private_ip:80 send-proxy


frontend https_front
    bind *:443
    mode tcp
    option tcp-check
    default_backend https_back

backend https_back
    balance source
    mode tcp
    option ssl-hello-chk

    server private_server private_ip:8080 send-proxy

Traefik配置:

debug = false

logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
  [entryPoints.http.proxyProtocol]
    trustedIPs = ["127.0.0.1/32", "private_ip"]
    #insecure = true
[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "dartsresults.nl"
watch = true
exposedByDefault = false

1 个答案:

答案 0 :(得分:0)

[entrypoints.https.proxyProtocol]中应为“ https”,如:

[entryPoints.https]
  address = ":443"

  [entryPoints.https.tls]
  [entryPoints.https.proxyProtocol]
    trustedIPs = ["127.0.0.1/32", "private_ip"]

有关在TOML中使用表的信息:https://github.com/toml-lang/toml#table

相关问题
最新问题