Apache LoadBalancing:健康检查的SSL/TLS设置 [英] Apache LoadBalancing: SSL/TLS settings for healthchecks

问题描述

我正在尝试使用apache设置一个负载均衡器.与后端服务器的通信是TLS加密的.当我启用运行状况检查时，只要在VHost级别而不是在Proxy部分中设置了ProxySSL *指令，此方法就起作用. 当我将它们移动到代理"部分中时，将不再正确评估SSL/TLS设置(与后端的连接使用默认的SSL/TLS设置，而不是指定的设置).但是根据文档，应该可以定义SSL代理部分中的/TSL设置，该设置应允许为不同的LoadBalancers设置不同的SSL/TLS设置.

有效方法:

  <VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    SSLProxyProtocol [a protocol]
    SSLProxyCipherSuite  [a cipher suite]
    <Proxy balancer://mybalancer>
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
  </VHost>

在上面的示例中，运行状况检查以及普通请求都使用指定的Protocol和CipherSuite.该解决方案的问题是，我无法在具有不同SSL/TLS设置的同一VHost中创建第二个均衡器.不幸的是，这正是我所需要的.

什么不起作用:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

像这样，指定的Protocol和CipherSuite对运行状况检查无效，相反，两个平衡器的运行状况检查都使用httpd.conf全局范围中指定的默认设置.

我认为为健康检查设置SSLProtocol和SSLCipherSuite是一种很常见的情况，我想知道是否有人安装了有效的设置，或者有人遇到了同样的问题.

在此先感谢您的帮助或提示.

解决方案

感谢yann和armin对此提供帮助.它可以与该错误报告中提供的补丁一起使用:

https://bz.apache.org/bugzilla/show_bug .cgi?id = 62556#c6

(您只需要附件36043 ，另一个补丁是错误/不需要！)

如此处所讨论的，问题是平衡器成员的worker没有正确初始化. 这就是为什么我们必须设置至少一个代理参数的原因.

如果我们像下面那样扩展上面的Proxy balancer://定义，它将起作用:(当然，在补丁之后):

<Proxy balancer://mybalancer2 lbmethod=byrequests> 

我们可以在此处采用任何lb参数，并且可以轻松将其设置为默认值. (lbmethod = byrequests是默认设置，因此，除非正确初始化了worker，否则什么都不会改变.)

上面的完整的有效示例:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer lbmethod=byrequests>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2 lbmethod=byrequests>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

该修补程序应包含在下一个版本中，可能约为2.4.35

I'm trying to setup a loadbalancer with apache. The communication to the backend servers is TLS-encrypted. When i enable healthchecks, this works as long as the ProxySSL* directives are set on VHost Level, and not inside the Proxy section. When i move them inside the Proxy section, the SSL/TLS settings are no longer evaluated correctly (the connection to the backend uses the default SSL/TLS settings and not the one specified). But according to documentation, it should be possible to define SSL/TSL settings inside a Proxy section, which should allow to set different SSL/TLS settings for different LoadBalancers.

What works:

  <VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    SSLProxyProtocol [a protocol]
    SSLProxyCipherSuite  [a cipher suite]
    <Proxy balancer://mybalancer>
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
  </VHost>

In the above example, healthchecks, as well as ordinary requests use the Protocol and CipherSuite specified. The problem with this solution is, that i cannot create a second balancer inside the same VHost with different SSL/TLS settings. Unfortunately thats exactly what i need.

What does not work:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

Like this, Protocol and CipherSuite specified have no effect on healthchecks, instead, healthchecks for both balancers use the default settings specified in the global scope of httpd.conf.

I think setting SSLProtocol and SSLCipherSuite for healthchecks is a quite common case, and i'm wondering if someone has a setup that works, or if someone has faced the same problems.

Thanks in advance for any help or hints where to look further.

解决方案

thanks to yann and armin for help on this. it works with the patch provided in this bug-report:

https://bz.apache.org/bugzilla/show_bug.cgi?id=62556#c6

(you only need attachment 36043, the other patch is wrong/not needed!)

as discussed there, the problem is that the worker for the balancer member is not correctly initialized. this is why we have to set at least one proxy parameter.

If we extend the above Proxy balancer:// definition like below, it works:(after the patch, of course):

<Proxy balancer://mybalancer2 lbmethod=byrequests> 

We can take any of the lb-parameters here, and we can easily set it to the default value. (lbmethod=byrequests is default, so nothing is changed except the worker is correctly initialized).

the complete, working example from above:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer lbmethod=byrequests>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2 lbmethod=byrequests>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

the patch should be included in the next release, maybe probably 2.4.35

这篇关于Apache LoadBalancing:健康检查的SSL/TLS设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！