Haproxy SSL重定向握手失败 [英] Haproxy ssl redirect handshake failure

问题描述

我在使用http&的haproxy v1.5.4. https.我绑定*:80& :* 443到相同的前端并使用相同的ACL.

I have haproxy v1.5.4 working with http & https. I am binding *:80 & :*443 to the same frontend and using the same acls.

我要创建一个http-> https重定向

I want to create an http -> https redirect

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/pki/tls/certs/...

    ...

    acl is_office path_beg /office
    http-request redirect scheme https if !{ ssl_fc } is_office

    use_backend office if is_office

这会导致

10.XXXXX:36909 [16/Dec/2015:17:23:07.678] http-in/2: SSL handshake failure

当我通过http访问时(期望重定向)

when I access over http (expecting the redirect)

如果我通过https访问，那么它将正确地访问后端并通过443代理到服务.

If I access via https then it correctly hits the backend and proxies through to the service over 443.

backend office
  balance roundrobin
  server backbone-daily 10.XXXXXX:443 ssl check verify none

自签名证书将在没有重定向的情况下进行验证并起作用.感觉好像我在重定向阶段丢失了一些东西.

The self-signed cert validates and works without the redirect. It feels like i'm missing something in the redirect stage.

非常感谢任何帮助

推荐答案

由于我们将HAProxy插件与仅具有GUI的OPNsense一起使用，因此我无法给出包含有效代码的答案.但是，我可以追溯最终使我们完成这项工作的步骤.

Since we use the HAProxy Plugin with OPNsense, which only has a GUI, I can't give an answer containing working code. However, I can retrace the steps that finally made this work for us.

1. 照常设置映射规则
2. 使用功能http-request redirect scheme https
设置没有任何条件的HTTP_REDIRECT规则
3. 创建两项公共服务，一项针对端口443，一项针对端口80
4. 使用SSL卸载和您的映射规则为443设置公共服务
5. 为80个 SSL卸载设置公共服务，并且仅设置HTTP_REDIRECT规则

1. Set up your mapping rules as usual
2. Set up a rule HTTP_REDIRECT without any conditions but with the function http-request redirect scheme https
3. Create two public services, one for port 443 and one for port 80
4. Set up the public service for 443 with SSL Offloading and your mapping rules
5. Set up the public service for 80 without SSL Offloading, and only your HTTP_REDIRECT rule

我怀疑这会转化为如下代码:

I suspect this would translate to code something like this:

frontend http-in
    bind *:443 ssl crt /etc/pki/tls/certs/...
    use_backend office if is_office

frontend no-ssl-http-in
    bind *:80
    http-request redirect scheme https

希望这对仍在寻找解决方案的人有所帮助.

Hope this helps anyone who is still looking for a solution.

这篇关于Haproxy SSL重定向握手失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！