HAProxy 终止时无法重定向到 HTTPS
HAProxy unable to redirect to HTTPS when terminating
我想为两台服务器设置 HAProxy - 一台带直通,另一台带终止。我能够在没有 HAProxy 经验的情况下做到这一点,但我无法为终止的 HTTPS 重定向 - 我得到 502。这是配置:
#Upgrades the passthrough and check for Let's Encrypt
frontend http_front
bind :80
option forwardfor
acl host_s1 hdr(host) -i s1.example.com
acl path_le path_beg -i /.well-known/acme-challenge/
redirect scheme https code 301 if host_s1 !path_le
use_backend acmetool if path_le
default_backend http-back
#Handles the passthrough and loopsback to itself for other domains
frontend passthrough
mode tcp
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend service1 if { req_ssl_sni -i s1.example.com }
default_backend https-back
#Loopback to handle the termination domains
frontend https-front
bind 127.0.0.1:8443 ssl crt s2.example.com.pem
option forwardfor
reqdel X-Forwarded-Proto
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend service2 if { req_ssl_sni -i s2.example.com }
default_backend service2
#returns for second pass from HTTP
backend http-back
server https-front 127.0.0.1:8443
#returns for second pass from HTTPS
backend https-back
mode tcp
server https-front 127.0.0.1:8443
backend service1
mode tcp
server service1 127.0.0.1:8888
backend service2
#redirect scheme https code 301 if !{ ssl_fc }
server server2 server2:80
backend acmetool
server acmetool 127.0.0.1:81
不确定 https-front 中是否需要那些 reqdel/reqadd。或者,如果我必须在第二次通过 HTTPS 时再次执行 tcp-request。
取消对后端重定向的注释也无济于事。
我可以用一些 help from the HAProxy community 来解决这个问题。
这是最终的设置,更新了名称以更好地反映每个设置背后的逻辑:
#Upgrades to HTTPS unless it's Let's Encrypt
frontend http
bind :80
option forwardfor
redirect scheme https code 301 if !{ path_beg -i /.well-known/acme-challenge/ }
default_backend acmetool
#Handles the passthrough and loopsback for termination
frontend passthrough
mode tcp
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend service1 if { req_ssl_sni -i s1.example.com }
default_backend loopback
#Handles the termination domains on second pass
frontend termination
bind 127.0.0.1:8443 ssl crt s2.example.com.pem
option forwardfor
reqdel X-Forwarded-Proto
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend service2 if { ssl_fc_sni -i s2.example.com }
default_backend service2
#Loopback for second pass
backend loopback
mode tcp
server https-front 127.0.0.1:8443
backend service1
mode tcp
server service1 127.0.0.1:8888
backend service2
server server2 server2:80
backend acmetool
server acmetool 127.0.0.1:81
我想为两台服务器设置 HAProxy - 一台带直通,另一台带终止。我能够在没有 HAProxy 经验的情况下做到这一点,但我无法为终止的 HTTPS 重定向 - 我得到 502。这是配置:
#Upgrades the passthrough and check for Let's Encrypt
frontend http_front
bind :80
option forwardfor
acl host_s1 hdr(host) -i s1.example.com
acl path_le path_beg -i /.well-known/acme-challenge/
redirect scheme https code 301 if host_s1 !path_le
use_backend acmetool if path_le
default_backend http-back
#Handles the passthrough and loopsback to itself for other domains
frontend passthrough
mode tcp
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend service1 if { req_ssl_sni -i s1.example.com }
default_backend https-back
#Loopback to handle the termination domains
frontend https-front
bind 127.0.0.1:8443 ssl crt s2.example.com.pem
option forwardfor
reqdel X-Forwarded-Proto
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend service2 if { req_ssl_sni -i s2.example.com }
default_backend service2
#returns for second pass from HTTP
backend http-back
server https-front 127.0.0.1:8443
#returns for second pass from HTTPS
backend https-back
mode tcp
server https-front 127.0.0.1:8443
backend service1
mode tcp
server service1 127.0.0.1:8888
backend service2
#redirect scheme https code 301 if !{ ssl_fc }
server server2 server2:80
backend acmetool
server acmetool 127.0.0.1:81
不确定 https-front 中是否需要那些 reqdel/reqadd。或者,如果我必须在第二次通过 HTTPS 时再次执行 tcp-request。
取消对后端重定向的注释也无济于事。
我可以用一些 help from the HAProxy community 来解决这个问题。
这是最终的设置,更新了名称以更好地反映每个设置背后的逻辑:
#Upgrades to HTTPS unless it's Let's Encrypt
frontend http
bind :80
option forwardfor
redirect scheme https code 301 if !{ path_beg -i /.well-known/acme-challenge/ }
default_backend acmetool
#Handles the passthrough and loopsback for termination
frontend passthrough
mode tcp
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend service1 if { req_ssl_sni -i s1.example.com }
default_backend loopback
#Handles the termination domains on second pass
frontend termination
bind 127.0.0.1:8443 ssl crt s2.example.com.pem
option forwardfor
reqdel X-Forwarded-Proto
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend service2 if { ssl_fc_sni -i s2.example.com }
default_backend service2
#Loopback for second pass
backend loopback
mode tcp
server https-front 127.0.0.1:8443
backend service1
mode tcp
server service1 127.0.0.1:8888
backend service2
server server2 server2:80
backend acmetool
server acmetool 127.0.0.1:81