Shulou(Shulou.com)06/03 Report--

Request:

1. Haproxy must have a version above 1.5 to support ssl certificates.

2. To use the ssl module, you must install the openssl software and pay attention to meeting the requirements in the version

Installation of openssl tar zxf openssl-0.9.8zh.tar.gzcd openssl-0.9.8zh./config enable-tlsext-the installation of prefix=/usr/local/openssl no-sharedmake & & make install_sw# does not affect the openssl version of the system. The main reason is to turn on the TLS SNI function of openssl and you can also install the installation and configuration of opensslHaproxy through yum.

Here you can use yum to install, or download a binary package to install: Baidu can be installed conveniently.

Haproxy configuration file global log 127.0.0.1 local0 log 127.0.0.1 local1 notice # log loghost local0 info maxconn 20480 uid 99 gid 99 # daemon tune.ssl.default-dh-param 2048 debug # quiet # pidfile / usr/local/haproxy/run/haproxy.pid # nbproc 2 defaults log Global mode http option httplog option httpclose option forwardfor option dontlognull option redispatch option originalto # option abortonclose balance roundrobin # balance leastconn # balance source stats refresh 30 retries 3 timeout connect 5000 timeout client 2400000 timeout server 2400000 timeout check 5000listen admin_status bind 0.0.0.0:81 mode httplog 127.0.0.1 local3 err stats refresh 30s stats uri / haproxy-stats stats realm Welcome CJWL\ CJWL stats auth admin:wangguan stats hide-version stats admin if TRUE errorfile 403 / usr/local/haproxy/errorfiles/403.http errorfile 502 / usr/local/haproxy/errorfiles/500.http errorfile 502 / usr/local/haproxy/errorfiles/502.http errorfile 503 / usr/local/haproxy/errorfiles/503.http errorfile 504 / usr/local/haproxy/ Errorfiles/504.http frontend http_80_in bind 0.0.0.0 ssl_fc 80, 0.0.0.0, 70, 0.0.0.0, 7777 # redirect scheme https if! {ssl_fc} after opening this line It means that all http visits will automatically take the ssl certificate. Jump to https # bind 0.0.0.0 usr/local/haproxy/etc/ssl/haproxy.pem~~ bind 4443 ssl crt / usr/local/haproxy/etc/ssl/haproxy.pem~~ bind 0.0.0.0 ssl crt / etc/haproxy/ssl/server.pem # reqadd X-Forwarded-Proto:\ https acl testcoms_p hdr_dom (host)-I testcoms.changjiu56.com acl ssl hdr_reg (host)-I ^ (kesungang.changjiu56.com) $redirect scheme https Code 301 if! {ssl_fc} ssl acl kesungang_p hdr_dom (host)-I kesungang.xxxx.com acl cpstest_p hdr_dom (host)-I ^ (cpstest.xxx.com) $acl recapicpstest_p hdr_dom (host)-I ^ (rec.api.cpstest.xxxx.com) $acl g7_ip src 121.2xx.0.0/16 117.50.xxx.0/24 Use_backend testcoms.xxxx.com if testcoms_p use_backend kesungang.xxxx.com if kesungang_p use_backend bmwpdatest.xxxx.com if bmwpdatest_p use_backend bmwpda.xxxx.com if bmwpda_p use_backend srm.xxxx.com if srm_p use_backend coms.xxx.com if coms_p#backend wmsims.xxxxx.com# Mode http# balance source# option httpchk GET / test/test.html# server 10.0.3.111 maxconn 80 10.0.3.111 maxconn 5000 check inter 2000 rise 2 fall http-request set-header X-Forwarded-Port% [dst-Port] # http-request add-header X-Forwarded-Proto https if {ssl_fc} backend kesungang.xxxx.com balance source# redirect scheme https if! {ssl_fc} server 10.0.3.78 maxconn 80 10.0.3.78 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3backend testcoms.xxxx.com balance source # option httpchk GET / HealthCheck.html if only one domain name is configured with ssl certificate

1. Comment out redirect scheme https if! {ssl_fc} in frontend default 80.

2. Configure acl rules as follows

`acl ssl hdr_reg (host)-I ^ (kesungang.xxx.com) $

Redirect scheme https code 301 if! {ssl_fc} ssl

Acl kesungang_p hdr_dom (host)-I kesungang.xxxx.com

`

Multiple domain names, multiple ssl certificate configurations

Frontend http_server

Bind: 80

Bind: 443 ssl crt / etc/haproxy/keys/www.test.com.pem crt / etc/haproxy/keys/admin.test.com.pem crt / etc/haproxy/keys/passport.abc.com.pem

# according to the above rule, if you have multiple sites, you can use the same rule bind: 443 ssl crt $filepath crt $file2path crt $file3path

Mode http acl ssl hdr_reg (host)-I ^ (www.test.com | admin.test.com | passport.abc.com) $redirect scheme https code 301if! {ssl_fc} ssl # https jump to the above sites # in some cases, a jump is required on a specific page Then acl ssl_site hdr_reg (host)-I ^ (acl ssl_path path_beg-I / Login / Pay/Pay.aspx redirect scheme https code 301if! {ssl_fc} ssl_site ssl_path redirect scheme http code 301if {ssl_fc} ssl_site! ssl_path # jumps only on the / loign / Pay/Pay.aspx page Other pages use http acl wwwtest_com hdr_reg (host)-I ^ (www.test.com) $use_backend www_test_com if wwwtest_com {ssl_fc_sni www.test.com} # here is the corresponding part of the certificate For example, acl admintest_com hdr_dom (host)-I admin.test.com use_backend admin_test_com if admintest_com {ssl_fc_sni admin.test.com} acl passportabc_com hdr_dom (host)-I passport.abc.com use_backend pasport_abc_com if passport_abc_com {ssl_fc_sni passport.abc.com} backend www_test_com server test2 192.168.10.2 admin.test.com use_backend admin_test_com if admintest_com 80 check port 80 inter 5000 Rise 2 fall 3 weight 1 backend admin_test_com server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1 backend passport_abc_com server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.