Haproxy SSL重定向握手失败 [英] Haproxy ssl redirect handshake failure
问题描述
我在使用http&的haproxy v1.5.4. https.我绑定*:80& :* 443到相同的前端并使用相同的ACL.
I have haproxy v1.5.4 working with http & https. I am binding *:80 & :*443 to the same frontend and using the same acls.
我要创建一个http-> https重定向
I want to create an http -> https redirect
frontend http-in
bind *:80
bind *:443 ssl crt /etc/pki/tls/certs/...
...
acl is_office path_beg /office
http-request redirect scheme https if !{ ssl_fc } is_office
use_backend office if is_office
这会导致
10.XXXXX:36909 [16/Dec/2015:17:23:07.678] http-in/2: SSL handshake failure
当我通过http访问时(期望重定向)
when I access over http (expecting the redirect)
如果我通过https访问,那么它将正确地访问后端并通过443代理到服务.
If I access via https then it correctly hits the backend and proxies through to the service over 443.
backend office
balance roundrobin
server backbone-daily 10.XXXXXX:443 ssl check verify none
自签名证书将在没有重定向的情况下进行验证并起作用.感觉好像我在重定向阶段丢失了一些东西.
The self-signed cert validates and works without the redirect. It feels like i'm missing something in the redirect stage.
非常感谢任何帮助
推荐答案
由于我们将HAProxy插件与仅具有GUI的OPNsense一起使用,因此我无法给出包含有效代码的答案.但是,我可以追溯最终使我们完成这项工作的步骤.
Since we use the HAProxy Plugin with OPNsense, which only has a GUI, I can't give an answer containing working code. However, I can retrace the steps that finally made this work for us.
- 照常设置映射规则
- 使用功能
http-request redirect scheme https
设置没有任何条件的HTTP_REDIRECT规则
- 创建两项公共服务,一项针对端口443,一项针对端口80
- 使用SSL卸载和您的映射规则为443设置公共服务
- 为80个 SSL卸载设置公共服务,并且仅设置HTTP_REDIRECT规则
- Set up your mapping rules as usual
- Set up a rule HTTP_REDIRECT without any conditions but with the function
http-request redirect scheme https
- Create two public services, one for port 443 and one for port 80
- Set up the public service for 443 with SSL Offloading and your mapping rules
- Set up the public service for 80 without SSL Offloading, and only your HTTP_REDIRECT rule
我怀疑这会转化为如下代码:
I suspect this would translate to code something like this:
frontend http-in
bind *:443 ssl crt /etc/pki/tls/certs/...
use_backend office if is_office
frontend no-ssl-http-in
bind *:80
http-request redirect scheme https
希望这对仍在寻找解决方案的人有所帮助.
Hope this helps anyone who is still looking for a solution.
这篇关于Haproxy SSL重定向握手失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!