Haproxy: различия между версиями
Материал из support.qbpro.ru
imported>Vix Нет описания правки |
imported>Vix Нет описания правки |
||
| Строка 51: | Строка 51: | ||
option forwardfor | option forwardfor | ||
## -- for https web | ## -- for https web | ||
redirect scheme https if { hdr(Host) -i www. | redirect scheme https if { hdr(Host) -i www.maindomain.ru } !{ ssl_fc } | ||
redirect scheme https if { hdr(Host) -i | redirect scheme https if { hdr(Host) -i maindomain.ru } !{ ssl_fc } | ||
redirect scheme https if { hdr(Host) -i | redirect scheme https if { hdr(Host) -i subdomain1.maindomain.ru } !{ ssl_fc } | ||
redirect scheme https if { hdr(Host) -i | redirect scheme https if { hdr(Host) -i subdomain2.maindomain.ru } !{ ssl_fc } | ||
# | # | ||
## -- for http web | ## -- for http web | ||
acl | acl host_subdomain3 hdr_beg(host) -i subdomain3.maindomain.ru | ||
acl | acl host_subdomain4 hdr_beg(host) -i subdomain4.maindomain.ru | ||
# | # | ||
## -- for http rules web backens | ## -- for http rules web backens | ||
use_backend web_server1 if | use_backend web_server1 if host_subdomain3 | ||
use_backend web_server0 if | use_backend web_server0 if host_subdomain4 | ||
# | # | ||
## -- for http web backens | ## -- for http web backens | ||
| Строка 68: | Строка 68: | ||
mode http | mode http | ||
reqadd X-Forwarded-Proto:\ http | reqadd X-Forwarded-Proto:\ http | ||
server | server subdomain3.maindomain.ru 10.5.1.7:8080 check | ||
# | # | ||
backend web_server1 | backend web_server1 | ||
mode http | mode http | ||
reqadd X-Forwarded-Proto:\ http | reqadd X-Forwarded-Proto:\ http | ||
server | server subdomain4.maindomain.ru 10.5.1.11:80 check | ||
# | # | ||
## -- for https frontend | ## -- for https frontend | ||
| Строка 85: | Строка 85: | ||
mode tcp | mode tcp | ||
balance roundrobin | balance roundrobin | ||
server | server maindomain.ru 10.5.1.7:443 send-proxy | ||
server | server subdomain1.maindomain.ru 10.5.1.7:443 send-proxy | ||
server | server subdomain2.maindomain.ru 10.5.1.7:443 send-proxy | ||
# | # | ||
## -- vpn fronted | ## -- vpn fronted | ||
| Строка 96: | Строка 96: | ||
# | # | ||
## -- for http vpn web | ## -- for http vpn web | ||
acl host_devhost hdr_beg(host) -i devhost. | acl host_devhost hdr_beg(host) -i devhost.ldomain.local | ||
acl host_libarh hdr_beg(host) -i libarh. | acl host_libarh hdr_beg(host) -i libarh.ldomain.local | ||
# | # | ||
| Строка 108: | Строка 108: | ||
mode http | mode http | ||
reqadd X-Forwarded-Proto:\ http | reqadd X-Forwarded-Proto:\ http | ||
server libarh. | server libarh.ldomain.local 10.5.1.7:80 check | ||
backend web_server_vpn1 | backend web_server_vpn1 | ||
mode http | mode http | ||
reqadd X-Forwarded-Proto:\ http | reqadd X-Forwarded-Proto:\ http | ||
server devhost. | server devhost.ldomain.local 10.5.1.9:80 check | ||
* После изменений перезапуск haproxy... | * После изменений перезапуск haproxy... | ||
Версия от 01:26, 25 марта 2019
- Установка:
apt-get install haproxy
- Пример конфигурации сайтов как с https так и без, haproxy слушает как внешний канал так и внутренний VPN:
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
##
maxconn 2048
defaults
log global
option redispatch
option tcp-smart-accept
option tcp-smart-connect
retries 3
maxconn 2000
timeout connect 5000
timeout check 3000
timeout client 50000
timeout server 50000
##
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
##################################################
## balanser http & https examples config
##################################################
frontend http_frontend
bind 92.19.132.73:80
mode http
option forwardfor
## -- for https web
redirect scheme https if { hdr(Host) -i www.maindomain.ru } !{ ssl_fc }
redirect scheme https if { hdr(Host) -i maindomain.ru } !{ ssl_fc }
redirect scheme https if { hdr(Host) -i subdomain1.maindomain.ru } !{ ssl_fc }
redirect scheme https if { hdr(Host) -i subdomain2.maindomain.ru } !{ ssl_fc }
#
## -- for http web
acl host_subdomain3 hdr_beg(host) -i subdomain3.maindomain.ru
acl host_subdomain4 hdr_beg(host) -i subdomain4.maindomain.ru
#
## -- for http rules web backens
use_backend web_server1 if host_subdomain3
use_backend web_server0 if host_subdomain4
#
## -- for http web backens
backend web_server0
mode http
reqadd X-Forwarded-Proto:\ http
server subdomain3.maindomain.ru 10.5.1.7:8080 check
#
backend web_server1
mode http
reqadd X-Forwarded-Proto:\ http
server subdomain4.maindomain.ru 10.5.1.11:80 check
#
## -- for https frontend
frontend https_frontend_ssl_pass
bind 92.19.132.73:443
mode tcp
default_backend web_server_tcp
#
## -- for https web backens
backend web_server_tcp
mode tcp
balance roundrobin
server maindomain.ru 10.5.1.7:443 send-proxy
server subdomain1.maindomain.ru 10.5.1.7:443 send-proxy
server subdomain2.maindomain.ru 10.5.1.7:443 send-proxy
#
## -- vpn fronted
frontend http_frontend_vpn
bind 10.0.8.1:80
mode http
option forwardfor
#
## -- for http vpn web
acl host_devhost hdr_beg(host) -i devhost.ldomain.local
acl host_libarh hdr_beg(host) -i libarh.ldomain.local
#
## -- for http rules web backens
use_backend web_server_vpn1 if host_devhost
use_backend web_server_vpn0 if host_libarh
## -- for http vpn web backens
backend web_server_vpn0
mode http
reqadd X-Forwarded-Proto:\ http
server libarh.ldomain.local 10.5.1.7:80 check
backend web_server_vpn1
mode http
reqadd X-Forwarded-Proto:\ http
server devhost.ldomain.local 10.5.1.9:80 check
- После изменений перезапуск haproxy...
ИСТОЧНИКИ:
- официальный сайт - en
- Описание конфигурационного файла HAProxy — haproxy.cfg
- haproxy+node.js
- Haproxy manual - en
- защита от взлома
- работаем с node
- еще пример с node.js
- HAProxy Configuration Manual с частичным переводом
- Получаем IP-адреса HTTPS-клиентов с HAProxy (frontend) на Nginx (backend) в режимах HTTP и TCP-балансировки
- Введение в HAProxy и принципы распределения нагрузки
- How to Use HAProxy for Load Balancing
- HAProxy перенаправляет http на https (ssl)
- Примеры настройки HaProxy
- Описание конфигурационного файла HAProxy
- Установка и настройка HAProxy на Debian/Ubuntu
