目标:
让haproxy实现sniproxy的功能;sniproxy可以通过简单配置允许访问任意的https,但是haproxy针对每个要访问的server进行明确的配置,不过这个已经满足我们的需求了;目前对我们来讲,haproxy中的resolvers 指令是非常需要的
配置一:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
defaults timeout client 30s timeout server 30s timeout connect 5s resolvers dns nameserver svr1 172.16.162.194:53 listen ssl_proxy bind 127.0.0.1:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl acl_baidu req_ssl_sni -i www.baidu.com acl acl_beebank req_ssl_sni -i www.beebank.com use-server svr_baidu if acl_baidu use-server svr_beebank if acl_beebank server svr_baidu www.baidu.com:443 check resolvers dns server svr_beebank www.beebank.com:443 check resolvers dns |
最初配置时少了tcp-request 的两个(或者任意一个选项),会导致偶尔请求失败,因为if条件没有起作用,使得总是轮训
配置方式二:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
defaults timeout client 30s timeout server 30s timeout connect 5s resolvers dns nameserver svr1 172.16.162.194:53 listen ssl_proxy bind 127.0.0.1:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl acl_baidu req_ssl_sni -i www.baidu.com acl acl_beebank req_ssl_sni -i www.beebank.com use_backend baidu if acl_baidu use_backend beebank if acl_beebank backend baidu server svr_baidu www.baidu.com:443 check resolvers dns backend beebank server svr_beebank www.beebank.com:443 check resolvers dns |
最初配置时少了tcp-request 的两个(或者任意一个选项),使得无法找到一个合适的后端,于是就SSL connect error
第三种写法:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
defaults timeout client 30s timeout server 30s timeout connect 5s resolvers dns nameserver svr1 172.16.162.194:53 listen ssl_proxy bind 127.0.0.1:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } default_backend ssl_backend backend ssl_backend acl acl_baidu req_ssl_sni -i www.baidu.com acl acl_beebank req_ssl_sni -i www.beebank.com use-server svr_baidu if acl_baidu use-server svr_beebank if acl_beebank server svr_baidu www.baidu.com:443 check resolvers dns server svr_beebank www.beebank.com:443 check resolvers dns |
这里的tcp-request 选项写在backend中是也是可以的,如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
defaults timeout client 30s timeout server 30s timeout connect 5s resolvers dns nameserver svr1 172.16.162.194:53 listen ssl_proxy bind 127.0.0.1:443 mode tcp default_backend ssl_backend backend ssl_backend tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl acl_baidu req_ssl_sni -i www.baidu.com acl acl_beebank req_ssl_sni -i www.beebank.com use-server svr_baidu if acl_baidu use-server svr_beebank if acl_beebank server svr_baidu www.baidu.com:443 check resolvers dns server svr_beebank www.beebank.com:443 check resolvers dns |
一个包含443和80的配置:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
defaults timeout client 30s timeout server 30s timeout connect 5s resolvers dns nameserver svr1 172.16.162.194:53 listen http_proxy bind *:80 mode http default_backend http_backend backend http_backend mode http acl acl_baidu hdr(host) -i www.baidu.com acl acl_beebank hdr(host) -i www.beebank.com use-server svr_baidu if acl_baidu use-server svr_beebank if acl_beebank server svr_baidu www.baidu.com:80 check resolvers dns server svr_beebank www.beebank.com:80 check resolvers dns listen ssl_proxy bind 127.0.0.1:443 mode tcp default_backend ssl_backend backend ssl_backend tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl acl_baidu req_ssl_sni -i www.baidu.com acl acl_beebank req_ssl_sni -i www.beebank.com use-server svr_baidu if acl_baidu use-server svr_beebank if acl_beebank server svr_baidu www.baidu.com:443 check resolvers dns server svr_beebank www.beebank.com:443 check resolvers dns |