无需终止 ssl 的 Haproxy SSL(https) 健康检查

时间:2021-01-18 03:37:03

标签: haproxy

所以我无法找到进行 SSL 检查的正确方法,我没有使用证书,只需要检查 HTTPS 网站 url(例如 google.com/) 一次尝试多种组合,没有成功。也许有人有类似的配置,

后端使用 - > 检查 sni google.com sni ssl_fc_sni

<块引用> 
    returns - reason: Layer7 wrong status, code: 301, info: "Moved Permanently"

检查端口 80 check-ssl -

<块引用>

原因:Layer6 响应无效,信息:“SSL 握手失败”

所有其他人都超时了。这是完整的配置文件-

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-server-verify none
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http



frontend myfront
bind *:8000
mode tcp
        tcp-request inspect-delay 5s

default_backend backend1



listen stats
bind :444
stats enable
stats uri /
stats hide-version
stats auth test:test

backend Backends
balance roundrobin
option forwardfor

option httpchk

  http-check send hdr host google.com meth GET uri /

 http-check expect status 200
#http-check connect
#http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
#http-check expect status 200-399
#http-check connect port 443 ssl sni haproxy.1wt.eu
#http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
#http-check expect status 200-399
#http-check connect port 443 ssl sni google.com
#http-check send meth GET uri / ver HTTP/1.1 hdr host google.com


   default-server fall 10 rise 1




 server Node1011 192.168.0.2:1011 check inter 15s check-ssl check port 443
 server Node1012 192.168.0.2:1012 check inter 15s check-ssl check port 443
 server Node1015 192.168.0.2:1015 check inter 15s check port 443
 server Node1017 192.168.0.2:1017 check inter 15s check-ssl check-sni google.com sni ssl_fc_sni
 server Node1018 192.168.0.2:1018 check inter 15s check-ssl check-sni google.com sni ssl_fc_sni
 server Node1019 192.168.0.2:1019 check inter 15s check-sni google.com sni ssl_fc_sni
 server Node1020 192.168.0.2:1020 check inter 15s check port 443 check-ssl
 server Node1021 192.168.0.2:1021 check inter 15s check port 443 check-ssl

 server Node1027 192.168.0.2:1027 check inter 15s check port 80
 server Node1028 192.168.0.2:1028 check inter 15s check port 80
 server Node1029 192.168.0.2:1029 check inter 15s check port 80
 server Node1030 192.168.0.2:1030 check inter 15s check port 80 check-ssl
 server Node1031 192.168.0.2:1031 check inter 15s check port 80 check-ssl

 server Node1033 192.168.0.2:1033 check inter 15s check port 80 check-ssl verify none
 server Node1034 192.168.0.2:1034 check inter 15s check port 80 check-ssl verify none
 server Node1035 192.168.0.2:1035 check inter 15s check-ssl
 server Node1036 192.168.0.2:1036 check inter 15s check-ssl

 server Node1048 192.168.0.2:1048 check inter 15s check-ssl verify none
 server Node1049 192.168.0.2:1049 check inter 15s check-ssl verify none

Ps 找到了一个网站,它解释了我正在尝试做什么(https://hodari.be/posts/2020_09_04_configure_sni_for_haproxy_backends/),但这也不起作用,我的haproxy 版本是 2.2.3

P.s.s 我真的想检查 www.google.com ,只是为了清楚。 谢谢!

1 个答案:

答案 0 :(得分:0)

这真的不是错误。如果您对 https://google.com 执行 curl 操作,它会执行到 https://www.google.com/ 的 301 重定向。为简洁起见,我在下面剪掉了一些协议细节,但你懂的。

要么将您的期望更改为 301,要么使用 www.google.com

paul:~ $ curl -vv https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 172.217.1.206...
-[snip]-
> GET / HTTP/2
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
-[snip]-
< HTTP/2 301 
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Mon, 18 Jan 2021 03:42:04 GMT
< expires: Wed, 17 Feb 2021 03:42:04 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< 
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

因此,如果您想避免 301,请在您的配置中使用 www.google.com 值,如下所示:

http-check send hdr host www.google.com meth GET uri /
相关问题
最新问题