使用HAProxy设置HTTPs转发代理

2018-07-04 15:11:22

在HAProxy中，我使用了选项http-proxy来使它像转发代理一样工作。这似乎工作正常，但对于HTTPS流量是不可能的。

那么，HAProxy配置中是否有任何选项可以像Squid那样代理HTTPS流量呢？

我认为问题在于option https_proxy不可用。

该配置对HTTP协议完美适用：

frontend http_proxy
   bind :3128
   option http_proxy
   default_backend proxy_server

backend proxy_server
   option http_proxy

注 - 我使用带有“ssl crt”的证书以及绑定选项，但似乎没有通过HTTPS协议进行代理

这是我的Haproxy文件配置，适用于HTTP和HTTPS协议。

代码如下：

#-----------------------------------------------------------------------------
# global
#-----------------------------------------------------------------------------

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

    # Tuning if required/needed
    # tune.ssl.default-dh-param 2048

#-----------------------------------------------------------------------------
# defaults
#-----------------------------------------------------------------------------

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#-----------------------------------------------------------------------------
# http frontend
#-----------------------------------------------------------------------------

frontend http-in
    bind *:80
    # Domain redirect, force the 'www' prefix
    redirect prefix https://www.domain1.net code 301 if { hdr_beg(host) -i domain1.net }
    redirect prefix https://www.domain2.net code 301 if { hdr_beg(host) -i domain2.net }
    # Define hosts
    acl is-domain1-site hdr(host) -i www.domain1.net
    acl is-domain1-blog hdr(host) -i blog.domain1.net
    acl is-domain1-wiki hdr(host) -i wiki.domain1.net
    acl is-domain2-site hdr(host) -i www.domain2.net
    acl is-domain2-blog hdr(host) -i blog.domain2.net
    acl is-domain2-wiki hdr(host) -i wiki.domain2.net
    # Force https for domain1
    redirect scheme https if is-domain1-site !{ ssl_fc }
    redirect scheme https if is-domain1-blog !{ ssl_fc }
    redirect scheme https if is-domain1-wiki !{ ssl_fc }
    # Force https for domain2
    redirect scheme https if is-domain2-site !{ ssl_fc }
    redirect scheme https if is-domain2-blog !{ ssl_fc }
    redirect scheme https if is-domain2-wiki !{ ssl_fc }
    # Default backend (parking)
    default_backend bk-ct100

#-----------------------------------------------------------------------------
# https frontend
#-----------------------------------------------------------------------------

frontend https-in
    bind *:443 ssl crt /etc/ssl/private/
    # Domain redirect force www
    redirect prefix https://www.domain1.net code 301 if { hdr_beg(host) -i domain1.net }
    redirect prefix https://www.domain2.net code 301 if { hdr_beg(host) -i domain2.net }
    # Define hosts for domain1
    acl is-domain1-site hdr(host) -i www.domain1.net
    acl is-domain1-blog hdr(host) -i blog.domain1.net
    acl is-domain1-wiki hdr(host) -i wiki.domain1.net
    # Define hosts for domain2
    acl is-domain2-site hdr(host) -i www.domain2.net
    acl is-domain2-blog hdr(host) -i blog.domain2.net
    acl is-domain2-wiki hdr(host) -i wiki.domain2.net
    # Figure out which backend to use for domain1
    use_backend bk-ct101 if is-domain1-site
    use_backend bk-ct101 if is-domain1-blog
    use_backend bk-ct101 if is-domain1-wiki
    # Figure out which backend to use for domain2
    use_backend bk-ct102 if is-domain2-site
    use_backend bk-ct102 if is-domain2-blog
    use_backend bk-ct102 if is-domain2-wiki
    # Default backend (parking)
    default_backend bk-ct100

#-----------------------------------------------------------------------------
# ct100 backend - parking
#-----------------------------------------------------------------------------

backend bk-ct100
    mode   http
    option forwardfor
    server ct100 192.168.100.100:80 check

#-----------------------------------------------------------------------------
# ct101 backend - domain1
#-----------------------------------------------------------------------------

backend bk-ct101
    mode   http
    option forwardfor
    server ct101 192.168.100.101:80 check

#-----------------------------------------------------------------------------
# ct102 backend - domain2
#-----------------------------------------------------------------------------

backend bk-ct102
    mode   http
    option forwardfor
    server ct102 192.168.100.102:80 check

#-----------------------------------------------------------------------------
# End-Of-File
#-----------------------------------------------------------------------------

在这种配置中，我选择将所有流量从HTTP重定向到HTTPS。我所有的证书都存储在/ etc / ssl / private目录中。我使用CertBot生成它们。

你可以根据你的需要修改这个文件，但它应该工作:)

链接地址: http://www.djcxy.com/p/96429.html

上一篇: Setup HTTPs Forward Proxy with HAProxy

下一篇: Docker as a Proxy server for a web service