我最近设置了一个haproxy路由到多个后端。我有一个443和4443的前端,具有相同的配置并指向相同的后端。但是,我无法连接到443。
HAProxy配置
Map<Map<String, Object>, List<Dashboard>> map = new HashMap<>();
while (rs.next()) {
int reqId = rs.getInt(1);
String name = rs.getString(2);
int price = rs.getInt(3);
int status = rs.getInt(4);
//iterate map look for existing data
boolean exist = false;
for (Map.Entry<Map<String, Object>, List<Dashboard>> entry : map.entrySet()) {
Map<String,Object> mapKey = entry.getKey();
List<Dashboard> dashboards = entry.getValue();
if (mapKey.get("id").toString().equals(reqId) && mapKey.get("name").toString().equals(name)) {
exist = true;
//check for status and update it if lower than existing status
if (status < Integer.valueOf(mapKey.get("status").toString()))
mapKey.put("status", status);
//add dashboard
Dashboard dashboard = new Dashboard();
dashboard.setREQUEST_ID(reqId);
dashboard.setName(name);
dashboard.setPrice(price);
dashboard.setStatus(status);
dashboards.add(dashboard);
}
}
if (!exist) {
Map<String,Object> mapKey = new HashMap<>();
mapKey.put("id", reqId);
mapKey.put("name", name);
mapKey.put("status", status);
Dashboard dashboard = new Dashboard();
dashboard.setREQUEST_ID(reqId);
dashboard.setName(name);
dashboard.setPrice(price);
dashboard.setStatus(status);
List<Dashboard> dashboards = new ArrayList<>();
dashboards.add(dashboard);
map.put(mapKey, dashboards);
}
}
Map<MapKey, List<Dashboard>> map0 = new HashMap<>();
for (Map.Entry<Map<String, Object>, List<Dashboard>> entry : map.entrySet()) {
Map<String,Object> mapKey = entry.getKey();
List<Dashboard> dashboards = entry.getValue();
MapKey mapKey0 = new MapKey(
Integer.valueOf(mapKey.get("id").toString()),
mapKey.get("name").toString(),
Integer.valueOf(mapKey.get("status").toString()));
map0.put(mapKey0, dashboards);
}
haproxy -vv
frontend main_web
bind *:4443 ssl crt /etc/ssl/web.net.pem
log-format "%ci:%cp\ [%tr]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r"
timeout client 60000
option logasap
option httplog
log global
mode http
default_backend app-webserver
frontend main_https
bind *:443 ssl crt /etc/ssl/web.net.pem
log-format "%ci:%cp\ [%tr]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r"
timeout client 60000
option logasap
option httplog
log global
mode http
default_backend app-webserver
openssl s_client -connect web.net:443 -servername web.net
HA-Proxy version 2.0.13 2020/02/13 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_OPENSSL=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built without PCRE or PCRE2 support (using libc's regex instead)
Encrypted password support via crypt(3): yes
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
openssl s_client -connect web.net:4443 -servername web.net
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1589722937
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
我真的很失落。我也通过在HAProxy中设置CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
verify return:1
depth=0 CN = web.net
verify return:1
---
Certificate chain
0 s:/CN=web.net
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFmjCCBIKgAwIBAgIQD3fKJWSyq1Az+UBaqwMxdjANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwNTA2MDAwMDAwWhcNMjEwNTA2MTIwMDAwWjAZ
MRcwFQYDVQQDEw5vbmVjaGF0Lm5ldC5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJsCvmMYYkU+g9D4VsD+9x3uP48cThL5g6JyLfEQJuXlSuU9phej
...
-----END CERTIFICATE-----
subject=/CN=web.net
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4263 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 54BDC38DCD0A9279A171928B2D2808D87DAF54E1043D478F19F416DBD6ADBA10
Session-ID-ctx:
Master-Key: BFF1322A89D44278761C283D083D6307C71A557A0FF299B158DBA4C69E7F81E87958CBAF6E5DEAB36D0799FAFD3D784F
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 36 ba 3e 06 ae 02 86 d2-fa 6c df e9 74 5c 63 2a 6.>......l..t\c*
0010 - 73 49 1d 4e 0f 3c a5 29-46 e5 9b 1c ec 6f b8 f5 sI.N.<.)F....o..
0020 - f9 96 2e bf 2c 03 d1 b2-d0 23 32 cf 54 f3 4f 6d ....,....#2.T.Om
Start Time: 1589723432
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
来尝试SSL直通,但这也没有帮助。
任何见解都会很棒!谢谢。