Haproxy

Материал из support.qbpro.ru

Установка:

apt-get install haproxy
  • Пример конфигурации сайтов как с https так и без, haproxy слушает как внешний канал так и внутренний VPN:
global
        log /dev/log    local0
        log /dev/log    local1 notice
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
  ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  ssl-default-bind-options no-sslv3
##
        maxconn 2048
defaults
        log     global
        option  redispatch
        option  tcp-smart-accept
        option  tcp-smart-connect
        retries 3
        maxconn 2000
        timeout connect 5000
        timeout check   3000
        timeout client  50000
        timeout server  50000
##
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
        
##################################################
## balanser http & https examples config
##################################################
frontend http_frontend 
        bind 92.19.132.73:80
        mode http
        option forwardfor
## -- for https web
        redirect scheme https if { hdr(Host) -i www.maindomain.ru } !{ ssl_fc }
        redirect scheme https if { hdr(Host) -i maindomain.ru } !{ ssl_fc }
        redirect scheme https if { hdr(Host) -i subdomain1.maindomain.ru } !{ ssl_fc }
        redirect scheme https if { hdr(Host) -i subdomain2.maindomain.ru } !{ ssl_fc }
#
## -- for http web
        acl host_subdomain3        hdr_beg(host) -i subdomain3.maindomain.ru
        acl host_subdomain4        hdr_beg(host) -i subdomain4.maindomain.ru
#
## -- for http rules web backens
        use_backend web_server1 if host_subdomain3
        use_backend web_server0 if host_subdomain4
#
## -- for http web backens
backend web_server0
        mode http
        reqadd X-Forwarded-Proto:\ http
        server subdomain3.maindomain.ru 10.5.1.7:8080 check
#
backend web_server1
        mode http
        reqadd X-Forwarded-Proto:\ http
        server subdomain4.maindomain.ru 10.5.1.11:80 check
#
## -- for https frontend
frontend https_frontend_ssl_pass
        bind 92.19.132.73:443
        mode tcp
        default_backend web_server_tcp
#
## -- for https web backens
backend web_server_tcp
        mode tcp
        balance roundrobin
        server maindomain.ru 10.5.1.7:443 send-proxy
        server subdomain1.maindomain.ru 10.5.1.7:443 send-proxy
        server subdomain2.maindomain.ru 10.5.1.7:443 send-proxy
#
## -- vpn fronted
frontend http_frontend_vpn 
        bind 10.0.8.1:80
        mode http
        option forwardfor
#
## -- for http vpn web
        acl host_devhost       hdr_beg(host) -i devhost.ldomain.local
        acl host_libarh        hdr_beg(host) -i libarh.ldomain.local

#
## -- for http rules web backens
        use_backend web_server_vpn1 if host_devhost
        use_backend web_server_vpn0 if host_libarh

## -- for http vpn  web backens
backend web_server_vpn0
        mode http
        reqadd X-Forwarded-Proto:\ http
        server libarh.ldomain.local 10.5.1.7:80 check

backend web_server_vpn1
        mode http
        reqadd X-Forwarded-Proto:\ http
        server devhost.ldomain.local 10.5.1.9:80 check
  • После изменений перезапуск haproxy...
  • Пример конфигурации для сайтов с https для nginx:
server {
    listen  10.5.1.7:8080;
    listen 10.5.1.7:443 ssl proxy_protocol;
    set_real_ip_from 92.19.132.73;
    real_ip_header proxy_protocol;
    
    include     /etc/nginx/ssl_maindomain_ru_conf;

    if ( $scheme = "http" ) {
          rewrite ^/(.*)$       https://$host/$1 permanent;
        }
    ssi on;

    server_name maindomain.ru;
    root /home/www/maindomain.ru;
    index index.php index.html index.htm;

    error_log /var/log/nginx/maindomain_ru_error.log;
    access_log /var/log/nginx/maindomain_ru_access.log;
    
    location ~* \.(css|js|png|gif|jpg)$ {
    expires max;
    }

    location = /50x.html {
    root /usr/share/nginx/html;
    }

    location / {
     try_files $uri $uri/ /index.php;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    
    location ~ \.php$ {
        fastcgi_pass  localhost:9000;
        fastcgi_param SCRIPT_FILENAME
                      $document_root$fastcgi_script_name;
        include       fastcgi_params;
    }
    
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
    deny all;
    }
  
    location ~ ^/(bin|SQL)/ {
    deny all;
    } 
    
      location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
    }

}

Пример перенапрвления с www.domain.com на domain.com

...
redirect prefix http://www.bar.com code 301 if { hdr(host) -i foo.com }
redirect prefix http://www.bar.com code 301 if { hdr(host) -i www.foo.com }
...
* источник

Установка HTTPS через Haproxy

Тюнинг Haproxy

ИСТОЧНИКИ