使用HAProxy设置HTTPs转发代理 [英] Setup HTTPs Forward Proxy with HAProxy
问题描述
在HAProxy中,我使用了选项http-proxy 使其像转发代理一样工作.这似乎工作正常,但是对于HTTPS流量来说是不可能的.
In HAProxy, I've used option http-proxy to make it work like forward proxy. This seems to be working fine, but for HTTPS traffic that's not possible.
因此,HAProxy配置中是否有任何选项可以像Squid一样代理HTTPS通信?
So, is there any option in the HAProxy configuration that allows to proxy the HTTPS traffic just like Squid does ?
我认为问题在于 选项https_proxy
不可用.
I think the problem is that the option https_proxy
isn't available.
此配置非常适合HTTP协议:
This configuration works perfectly for HTTP protocol:
frontend http_proxy
bind :3128
option http_proxy
default_backend proxy_server
backend proxy_server
option http_proxy
注意-我已经将证书与"ssl crt"一起使用,并使用了bind选项,但是该证书似乎无法通过HTTPS协议进行代理
Note - I've used the certificate with "ssl crt" along with the bind option but that didn't seem to proxy over HTTPS protocol
推荐答案
这是我的Haproxy文件配置,它适用于HTTP和HTTPS协议.
This is my Haproxy file configuration, it works well for HTTP and HTTPS protocol.
这是代码:
#-----------------------------------------------------------------------------
# global
#-----------------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
# Tuning if required/needed
# tune.ssl.default-dh-param 2048
#-----------------------------------------------------------------------------
# defaults
#-----------------------------------------------------------------------------
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#-----------------------------------------------------------------------------
# http frontend
#-----------------------------------------------------------------------------
frontend http-in
bind *:80
# Domain redirect, force the 'www' prefix
redirect prefix https://www.domain1.net code 301 if { hdr_beg(host) -i domain1.net }
redirect prefix https://www.domain2.net code 301 if { hdr_beg(host) -i domain2.net }
# Define hosts
acl is-domain1-site hdr(host) -i www.domain1.net
acl is-domain1-blog hdr(host) -i blog.domain1.net
acl is-domain1-wiki hdr(host) -i wiki.domain1.net
acl is-domain2-site hdr(host) -i www.domain2.net
acl is-domain2-blog hdr(host) -i blog.domain2.net
acl is-domain2-wiki hdr(host) -i wiki.domain2.net
# Force https for domain1
redirect scheme https if is-domain1-site !{ ssl_fc }
redirect scheme https if is-domain1-blog !{ ssl_fc }
redirect scheme https if is-domain1-wiki !{ ssl_fc }
# Force https for domain2
redirect scheme https if is-domain2-site !{ ssl_fc }
redirect scheme https if is-domain2-blog !{ ssl_fc }
redirect scheme https if is-domain2-wiki !{ ssl_fc }
# Default backend (parking)
default_backend bk-ct100
#-----------------------------------------------------------------------------
# https frontend
#-----------------------------------------------------------------------------
frontend https-in
bind *:443 ssl crt /etc/ssl/private/
# Domain redirect force www
redirect prefix https://www.domain1.net code 301 if { hdr_beg(host) -i domain1.net }
redirect prefix https://www.domain2.net code 301 if { hdr_beg(host) -i domain2.net }
# Define hosts for domain1
acl is-domain1-site hdr(host) -i www.domain1.net
acl is-domain1-blog hdr(host) -i blog.domain1.net
acl is-domain1-wiki hdr(host) -i wiki.domain1.net
# Define hosts for domain2
acl is-domain2-site hdr(host) -i www.domain2.net
acl is-domain2-blog hdr(host) -i blog.domain2.net
acl is-domain2-wiki hdr(host) -i wiki.domain2.net
# Figure out which backend to use for domain1
use_backend bk-ct101 if is-domain1-site
use_backend bk-ct101 if is-domain1-blog
use_backend bk-ct101 if is-domain1-wiki
# Figure out which backend to use for domain2
use_backend bk-ct102 if is-domain2-site
use_backend bk-ct102 if is-domain2-blog
use_backend bk-ct102 if is-domain2-wiki
# Default backend (parking)
default_backend bk-ct100
#-----------------------------------------------------------------------------
# ct100 backend - parking
#-----------------------------------------------------------------------------
backend bk-ct100
mode http
option forwardfor
server ct100 192.168.100.100:80 check
#-----------------------------------------------------------------------------
# ct101 backend - domain1
#-----------------------------------------------------------------------------
backend bk-ct101
mode http
option forwardfor
server ct101 192.168.100.101:80 check
#-----------------------------------------------------------------------------
# ct102 backend - domain2
#-----------------------------------------------------------------------------
backend bk-ct102
mode http
option forwardfor
server ct102 192.168.100.102:80 check
#-----------------------------------------------------------------------------
# End-Of-File
#-----------------------------------------------------------------------------
在此配置中,我选择将所有流量从HTTP重定向到HTTPS.我所有的证书都存储在/etc/ssl/private目录中.我使用CertBot生成了它们.
In this configuration, I chose to redirect all traffic from HTTP to HTTPS. All of my certificates are stored inside /etc/ssl/private directory. I generated them using CertBot.
您可以根据需要调整此文件,但它应该可以工作:)
You can adapt this file for your needs but it should work :)
这篇关于使用HAProxy设置HTTPs转发代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!