HAProxy https实现

Posted y_zilong

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了HAProxy https实现相关的知识,希望对你有一定的参考价值。

haproxy可以实现https的证书安全,从用户搭配haproxy为https,从haproxy到后端服务器通信,但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现

证书制作

#生成证书方法1:
[root@cen7_17 ~]# mkdir /etc/haproxy/certs
[root@cen7_17 ~]# cd /etc/haproxy/certs/
[root@cen7_17 certs]# openssl req -x509 -newkey rsa:2048 -subj "/CN=www.yzl.org" -keyout haproxy.key -nodes -days 365 -out haproxy.crt
Generating a 2048 bit RSA private key
..+++
........................+++
writing new private key to 'haproxy.key'
-----
[root@cen7_17 certs]# ls
haproxy.crt  haproxy.key
[root@cen7_17 certs]# cat haproxy.key haproxy.crt > haproxy.pem
[root@cen7_17 certs]# openssl x509 -in haproxy.pem -noout -text     #查看证书
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f0:ab:1e:b6:d3:bb:30:02
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=www.yzl.org
        Validity
            Not Before: Jun 24 02:01:53 2021 GMT
            Not After : Jun 24 02:01:53 2022 GMT
        Subject: CN=www.yzl.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:8d:de:bc:1c:6a:05:33:8f:30:2c:ff:b2:37:
                    a5:63:15:22:e9:38:57:5c:14:78:af:7b:b0:a8:8c:
                    02:f4:89:a0:9c:e7:a2:77:df:3f:a4:92:10:75:24:
                    69:9c:cb:b9:c1:27:fd:ee:a5:03:e2:df:02:e2:ea:
                    29:87:00:d3:cc:a7:ee:54:27:ed:48:d9:5a:4e:93:
                    11:8e:d7:bf:8d:db:c2:3e:11:29:eb:a5:ca:c3:4a:
                    ec:8b:a3:f6:4d:a5:3f:de:61:40:8c:0c:dc:13:75:
                    cb:88:2f:5d:ab:e4:0a:9e:6d:72:cc:0c:ac:54:2b:
                    a0:bd:83:9c:63:e3:7b:49:b3:2a:eb:f7:bb:7d:b2:
                    0e:ae:f1:81:02:47:c2:b2:ca:83:72:08:7f:aa:52:
                    f6:78:82:2f:bf:55:33:27:00:b7:3e:56:cf:1f:c3:
                    b4:08:60:e1:cb:d2:bd:a0:9a:cc:47:ce:d9:2a:9d:
                    7c:8e:6e:bb:6a:4c:ae:87:71:67:54:0d:e5:cc:9e:
                    53:4b:66:c1:6b:f1:45:c3:16:95:e8:f6:e1:3d:39:
                    07:d8:1a:93:86:2f:e9:48:bb:53:5b:8d:81:a5:58:
                    9a:e4:10:9b:6e:0c:1e:c5:1c:69:02:7a:f1:99:c2:
                    df:6a:b7:f5:49:8a:b2:5c:a9:e6:9b:cc:d7:31:df:
                    5b:2f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                51:8D:A3:0B:1F:58:89:DE:D5:6F:94:8A:F5:9B:05:0A:43:94:26:C5
            X509v3 Authority Key Identifier: 
                keyid:51:8D:A3:0B:1F:58:89:DE:D5:6F:94:8A:F5:9B:05:0A:43:94:26:C5

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         9f:b4:ac:5c:bc:60:43:4a:34:df:e4:b3:2d:8d:b1:7c:6f:6b:
         cf:a5:16:2b:b1:05:77:1e:9b:42:3d:51:cd:8e:30:14:a6:79:
         b2:31:59:f4:05:6a:60:42:38:91:fe:5d:7f:3b:7a:c7:10:51:
         7f:84:de:d4:33:2c:fc:85:92:1a:3d:e0:a9:e7:7d:58:77:12:
         42:30:c5:cb:e6:85:6a:04:c5:0d:61:c1:f8:c4:4c:ba:1f:5a:
         d5:a9:cc:35:fd:8f:dc:3d:62:4a:a9:79:99:89:d6:8f:d1:1d:
         d8:6f:43:1a:e3:f3:c2:8c:ea:c3:6c:be:63:52:f0:64:2d:a8:
         a7:94:06:51:fc:e4:5d:67:ec:01:d4:72:e7:99:1e:bc:c0:08:
         7b:39:33:74:6d:85:78:76:ef:a4:c3:a7:6d:96:fc:32:5d:04:
         58:7e:28:8b:df:19:6e:f9:da:d0:e6:20:e9:1d:85:43:a0:ff:
         ba:6e:85:39:12:d8:21:9b:9d:72:fb:37:53:7a:9b:f4:a9:3e:
         f1:c5:33:6e:5d:11:34:c6:55:a8:82:e2:74:59:0b:bc:33:3b:
         86:bd:46:40:5e:80:21:e0:9f:eb:7d:4e:d9:89:77:05:74:0e:
         29:59:19:6b:6e:47:8f:f5:1b:5c:e9:71:aa:cd:39:4f:f4:b6:
         75:64:5a:d5
[root@cen7_17 certs]# 
#生成证书方法2:
[root@cen7_17 ~]# mkdir /etc/haproxy/certs
[root@cen7_17 ~]# cd /etc/pki/tls/certs/
[root@cen7_17 certs]# vim Makefile 

%.key:
        umask 77 ; \\
        /usr/bin/openssl genrsa $(KEYLEN) > $@     #把-aes128去掉,免密码

[root@cen7_17 certs]# make /etc/haproxy/certs/haproxy.crt
umask 77 ; \\
        /usr/bin/openssl genrsa 2048 > /etc/haproxy/certs/haproxy.key
Generating RSA private key, 2048 bit long modulus
..+++
..........+++
e is 65537 (0x10001)
umask 77 ; \\
/usr/bin/openssl req -utf8 -new -key /etc/haproxy/certs/haproxy.key -x509 -days 365 -out /etc/haproxy/cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:yy
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.yy.com
Email Address []:
[root@cen7_17 certs]# 

[root@cen7_17 certs]# cd /etc/haproxy/certs/
[root@cen7_17 certs]# ls
haproxy.crt  haproxy.key
[root@cen7_17 certs]# cat haproxy.key haproxy.crt > haproxy.pem

HTTP配置

[root@cen7_17 ~]# cat /etc/haproxy/conf.d/tt.cfg 
frontend web_80
    bind 10.0.0.17:80
    bind 10.0.0.17:443 ssl crt /etc/haproxy/certs/haproxy.pem
    redirect scheme https if !{ ssl_fc }    #注意{ }内的空格
    use_backend web_web1

backend web_web1
    balance roundrobin
    server 10.0.0.40 10.0.0.40:80 check
    server 10.0.0.50 10.0.0.50:80 check

backend web_web2
    server 10.0.0.50 10.0.0.50:80 check

[root@cen7_17 ~]# 

测试

[root@cen7_17 ~]# curl -k https://10.0.0.17
10.0.0.40
web1
[root@cen7_17 ~]# curl -k https://10.0.0.17
10.0.0.50
web2
[root@cen7_17 ~]# 

[root@cen7_17 ~]# curl  http://10.0.0.17 -I
HTTP/1.1 302 Found
content-length: 0
location: https://10.0.0.17/
cache-control: no-cache

[root@cen7_17 ~]#

 修改httpd后端服务器的日志格式

#后端服务器的日志格式配置
[root@cent8_yzl_40 ~]# vim /etc/httpd/conf/httpd.conf

LogFormat "%h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\" \\"%{X-Forwarded-For}i\\" " combined

[root@cent8_yzl_40 ~]# tail /var/log/httpd/access_log -f
10.0.0.17 - - [24/Jun/2021:17:48:35 +0800] "GET / HTTP/1.1" 200 10 "-" "curl/7.29.0" "10.0.0.27"

以上是关于HAProxy https实现的主要内容,如果未能解决你的问题,请参考以下文章

HAProxy 之 实现https访问

http反向代理及haproxy

haproxy 实现多域名证书https

RHEL 7配置HAProxy实现Web负载均衡

RedHat 7配置HAProxy实现Web负载均衡

HAPROXY实战案例:https反向代理的实现TCP四层反向代理MariaDB及自定义错误页面