Haproxy

Материал из support.qbpro.ru
  • Установка:
apt-get install haproxy
  • Пример конфигурации сайтов как с https так и без, haproxy слушает как внешний канал так и внутренний VPN:
global
        log /dev/log    local0
        log /dev/log    local1 notice
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
##
        maxconn 2048
defaults
        log     global
        option  redispatch
        option  tcp-smart-accept
        option  tcp-smart-connect
        retries 3
        maxconn 2000
        timeout connect 5000
        timeout check   3000
        timeout client  50000
        timeout server  50000
##
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
        
##################################################
## balanser http & https examples config
##################################################
frontend http_frontend 
        bind 92.19.132.73:80
        mode http
        option forwardfor
## -- for https web
        redirect scheme https if { hdr(Host) -i www.maindomain.ru } !{ ssl_fc }
        redirect scheme https if { hdr(Host) -i maindomain.ru } !{ ssl_fc }
        redirect scheme https if { hdr(Host) -i subdomain1.maindomain.ru } !{ ssl_fc }
        redirect scheme https if { hdr(Host) -i subdomain2.maindomain.ru } !{ ssl_fc }
#
## -- for http web
        acl host_subdomain3        hdr_beg(host) -i subdomain3.maindomain.ru
        acl host_subdomain4        hdr_beg(host) -i subdomain4.maindomain.ru
#
## -- for http rules web backens
        use_backend web_server1 if host_subdomain3
        use_backend web_server0 if host_subdomain4
#
## -- for http web backens
backend web_server0
        mode http
        reqadd X-Forwarded-Proto:\ http
        server subdomain3.maindomain.ru 10.5.1.7:8080 check
#
backend web_server1
        mode http
        reqadd X-Forwarded-Proto:\ http
        server subdomain4.maindomain.ru 10.5.1.11:80 check
#
## -- for https frontend
frontend https_frontend_ssl_pass
        bind 92.19.132.73:443
        mode tcp
        default_backend web_server_tcp
#
## -- for https web backens
backend web_server_tcp
        mode tcp
        balance roundrobin
        server maindomain.ru 10.5.1.7:443 send-proxy
        server subdomain1.maindomain.ru 10.5.1.7:443 send-proxy
        server subdomain2.maindomain.ru 10.5.1.7:443 send-proxy
#
## -- vpn fronted
frontend http_frontend_vpn 
        bind 10.0.8.1:80
        mode http
        option forwardfor
#
## -- for http vpn web
        acl host_devhost       hdr_beg(host) -i devhost.ldomain.local
        acl host_libarh        hdr_beg(host) -i libarh.ldomain.local
#
## -- for http rules web backens
        use_backend web_server_vpn1 if host_devhost
        use_backend web_server_vpn0 if host_libarh
## -- for http vpn  web backens
backend web_server_vpn0
        mode http
        reqadd X-Forwarded-Proto:\ http
        server libarh.ldomain.local 10.5.1.7:80 check
backend web_server_vpn1
        mode http
        reqadd X-Forwarded-Proto:\ http
        server devhost.ldomain.local 10.5.1.9:80 check
  • После изменений перезапуск haproxy...

ИСТОЧНИКИ: