Question

我的Haproxy配置有问题。在我的体系结构中，我希望只有大约1000/2000个域的Haproxy。下面是在单个域上运行的配置：

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog

        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend www_frontend
    bind *:80     # Bind to port 80 (www) on the container
    log /var/log/proxy local0 debug

    bind *:443 ssl crt /etc/ssl/sitetest.domain.io/sitetest.domain.io.pem ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
     acl has_domain hdr(Host),map(/etc/haproxy/domain.map) -m found
     acl bypass-page url_reg -i -f /etc/haproxy/path.lst
     acl useragent-enable hdr(user-agent) -f /etc/haproxy/exact-ua.lst -i -f /etc/haproxy/generic-ua.lst test
     acl useragent-bypass hdr_reg(user-agent) -i -f /etc/haproxy/useragent.lst
     acl is_new_bck res.hdr(Set-Cookie) -m sub value=cookie_1
     acl is_service_v1 hdr_sub(cookie) -i -f /etc/haproxy/cookie.lst
     acl has_cookie hdr_sub(cookie) wordpress_logged_in_?
     acl has_cookie_1 hdr_reg(cookie) -i wordpress_logged_in_[a-z,0-9,A-Z]*.=.*

    use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/api.map,prod_cliente)] if !has_cookie_2 !bypass-page !useragent-bypass

default_backend prod_cliente
backend cache1_cluster
    option httpclose
    option forwardfor
    mode http
    cookie JSESSIONID prefix
#    balance roundrobin
#    option httpchk
#    option forwardfor
    server cache1 192.167.1.128:80 check


backend prod_cliente
        mode http
        option httplog
        option httpclose
        option forwardfor
    cookie JSESSIONID prefix
    server sitetest.domain.io PROD_IP:80 check

backend         not_found
                errorfile                   503 /etc/haproxy/errors/503.http

listen stats # Define a listen section called "stats"
  bind :9000 # Listen on localhost:9000
  mode http
  stats enable  # Enable stats page
  stats hide-version  # Hide HAProxy version
  stats realm Haproxy\ Statistics  # Title text for popup window
  stats uri /haproxy_stats  # Stats URI
  stats auth admin:admin  # Authentication credentials

我想要实现的结果是，对于每个站点，ACL都是按域评估的，例如：

acl has_cookie_1 hdr_reg (cookie) -i -f /etc/haproxy/DOMAINSITE/cookie.lst

然后我有一个脚本，可以将文件动态地写入DOMAINSITE目录。

您认为有可能吗？

Answer 1

没人吗？我一直在ACL上收到语法错误，尝试使用后端组合，但是问题出在SSL上的多域已确认？

ACL文件夹中用于主机名/域的Haproxy路由

1 个答案: