共计 4521 个字符,预计需要花费 12 分钟才能阅读完成。
一直使用 haproxy-1.4 版本代理, 不支持 ssl 配置,haproxy-1.5 版本支持,于是更新了版本进行测试。所使用的证书文件,使用原 apache ssl 证书文件进行简单处理可以在 haproyx 上使用。
本来想使用 haproxy-1.4 的穿透的,但是要后端服务器均要配置 ssl,于是配置在了 Haproyx-1.5 上,实现 ssl 终端 CA 认证。
1. 安装
# yum install pcre-devel openssl-devel -y
# tar zxvf haproxy-1.5.3.tar.gz
# cd haproxy-1.5.3
# make TARGET=linux26 USE_STATIC_PCRE=1 USE_REGPARM=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64
# make install PREFIX=/usr/local/haproxy
# cd /usr/local/haproxy
# mkdir conf
2. 准备 pem 证书文件
之前有配置过 apache ssl CA 认证配置文件,cer 文件与 key 文件,pem 文件就是将前面两个文件合并使用。
# cat my-server.cer my-server.key | tee my-server.pem
—–BEGIN CERTIFICATE—–
MIID3zCCA0igAwIBAgIPBwACIBQBFAAAAAACFUN1MA0GCSqGSIb3DQEBBQUAMIIB
JDENMAsGA1UEBh4EAEMATjEbMBkGA1UECB4SAEcAdQBhAG4AZwBkAG8AbgBnMRsw
GQYDVQQHHhIARwB1AGEAbgBnAHoAaABvAHUxPTA7BgNVBAoeNABHAEQAQwBBACAA
QwBlAHIAdABpAGYAaQBjAGEAdABlACAAQQB1AHQAaABvAHIAaQB0AHkxRzBFBgNV
BAsePgBHAHUAYQBuAGcAZABvAG4AZwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAg
AEEAdQB0AGgAbwByAGkAdAB5MVEwTwYDVQQDHkgARwBEAEMAQQAgAEcAdQBhAG4A
ZwBkAG8AbgBnACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAQQB1AHQAaABvAHIA
aQB0AHkwHhcNMTQwMTEzMTYwMDAwWhcNMTkwMTMwMTYwMDAwWjCBrjENMAsGA1UE
Bh4EAEMATjEPMA0GA1UECB4GbXdTV3cBMQ8wDQYDVQQHHgZtd1PjXgIxKTAnBgNV
BAoeIG0LbWZ+z21OXwBT0VM6e6F0BlnUVFhPGk/hYG9OLV/DMSkwJwYDVQQLHiBt
C21mfs9tTl8AU9FTOm0LbWZZJ1OmADEANAAwADFbpDElMCMGA1UEAx4cADEAOQAy
AC4AMQA2ADgALgAyADMAMAAuADgANTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAz6XQgc/UBi/LtJh1BXTGxAyuWZY0nfkzPlv8cf2bRCMKadnM+iJ9PKv8mnpU
TgKe6+c5zjqy+sTk6KEYVMMROY4InrykZY/7tA+dk+lqECU+fQ+bNAzLh5yPp6Ni
2KzeG1V6/tF9t7syz8UWy6Bxgvdg3gu+M9vcpZUaD3NjsnECAwEAAaOBhTCBgjAf
BgNVHSMEGDAWgBR3QwkQ9xWLOrAR0kx7B5QE8BRURjAdBgNVHQ4EFgQUUN8BHs4A
rNrjCV9uSaeMw0/Fw/8wCwYDVR0PBAQDAgQwMBYGBSpWCwcBBA0xC4AJMjAxNDAx
MTQxMBsGBSpWFQEDBBIwMDcxMTIwMTQwMTE0Njg2NDkwDQYJKoZIhvcNAQEFBQAD
gYEAeKrIQ0u1cmgUz8qwW07VF1s6q+fKJf6OJnRDWshsG7ZRSJH2rZx7oohpZQJk
DUpLOGbvplXGFgyXCeQYyJSiStis0Ef6Jr1Y3iOjIrn7zASCu9EjuUSCreyF7w8c
4e4At2IMrUUTo+UZAiYRfqfMKpP7gYUY0LNmq2AEDbU4Fb0=
—–END CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—–
MIICXQIBAAKBgQDPpdCBz9QGL8u0mHUFdMbEDK5ZljSd+TM+W/xx/ZtEIwpp2cz6
In08q/yaelROAp7r5znOOrL6xOTooRhUwxE5jgievKRlj/u0D52T6WoQJT59D5s0
DMuHnI+no2LYrN4bVXr+0X23uzLPxRbLoHGC92DeC74z29yllRoPc2OycQIDAQAB
AoGBALIBDiZJ+BM5o+H0E9USj1X/HPM1fXOy7gfWKSm64wBdHY8yI7KGIGADe68d
kOmy+3N1K6urzESGx0jY2JfJBRiKR3QW+fEL5UBhj/PC5Nj9OMxwEK0WqYlfhivx
EpPycuwKhDN7aYcGJIK/J38j4Q8G383wDev1Sl9beLRoqs+FAkEA+LtkdOVU8hfa
Xx44Tl6PxsY25LWunjuoUu6KZOWLvsAJK+CGV91oZAJk+QwXIZj8tDjPAGrcvHMM
cENwrvFWuwJBANW3GKsHELMTzJumKUXlSPDlU5xGn7H2PQOc+FaYuinK6K94E55t
E7MN6Oe+1avOTLYlRVsv2klPUkK1DlrOxsMCQBEFmgFZ9G9A7KPXyJisZgB/biBG
wrV3dbR/OJ9hCig6siX7jpYSw+McOtbEWgzlkF2xCZGIvqRy5yYDp4GBaKMCQQDQ
0F+X7AVTE8tdYZL+KjOEvG1fSloKpg+jkiHLatqqrwl/ORHiP615y+N/W6Smg6HM
bso/eJgN/STg7MsjytnFAkAVwZMhaoIWIocbyoA3eUQVIrUDynDMq27TDFwltvaL
ihOkwBYuzDujgOBLwY+pLg6SqphDhgP92OCg+VVqty02
—–END RSA PRIVATE KEY—–
3. 创建配置文件
# vi /usr/local/haproxy/conf/haproxy.cfg
global
log 127.0.0.1 local0
maxconn 65535
chroot /usr/local/haproxy
uid 99
gid 99
stats socket /usr/local/haproxy/HaproxSocket level admin
daemon
nbproc 1
pidfile /usr/local/haproxy/haproxy.pid
#debug
tune.ssl.default-dh-param 2048
defaults
log 127.0.0.1 local3
mode http
option httplog
option httplog clf
option httpclose
option dontlognull
option forwardfor
option redispatch
retries 2
maxconn 2000
balance source
#balance roundrobin
stats uri /haproxy-stats
stats refresh 10s
timeout client 60s
timeout connect 9s
timeout server 30s
timeout check 5s
listen TEST_APP_Cluster
bind *:80
mode http
option httpchk GET /test.html HTTP/1.0\r\nHost:192.168.10.180
server node01 192.168.0.100:100 weight 3 check inter 2000 rise 2 fall 1
server node02 192.168.0.101:100 weight 3 backup check inter 2000 rise 2 fall 1
listen TEST_APP_SSL
bind *:443 ssl crt /usr/local/haproxy/conf/my-server.pem
reqadd X-Forwarded-Proto:\ https
mode http
option httpchk GET /test.html HTTP/1.0\r\nHost:192.168.10.180
server node01 192.168.0.100:100 weight 3 check inter 2000 rise 2 fall 1
server node02 192.168.0.101:100 weight 3 backup check inter 2000 rise 2 fall 1
listen stats_auth 0.0.0.0:91
stats enable
stats uri /admin
stats realm “HA_CONSOLE”
stats auth admin:123456
stats hide-version
stats refresh 10s
stats admin if TRUE
启动端口截图
4. 配置要点
由于证书采用 2048 长度配置,默认配置文件会报错,加上 tune.ssl.default-dh-param 2048 参数后,问题解决,采用 pem 格式的证书还可以通过 haproxy-1.4+stunnel 方式实现 ssl 功能。
Haproxy+Keepalived 搭建 Weblogic 高可用负载均衡集群 http://www.linuxidc.com/Linux/2013-09/89732.htm
Keepalived+HAProxy 配置高可用负载均衡 http://www.linuxidc.com/Linux/2012-03/56748.htm
CentOS 6.3 下 Haproxy+Keepalived+Apache 配置笔记 http://www.linuxidc.com/Linux/2013-06/85598.htm
Haproxy + KeepAlived 实现 WEB 群集 on CentOS 6 http://www.linuxidc.com/Linux/2012-03/55672.htm
Haproxy+Keepalived 构建高可用负载均衡 http://www.linuxidc.com/Linux/2012-03/55880.htm
HAproxy 的详细介绍 :请点这里
HAproxy 的下载地址 :请点这里
