我要转发流量vom: https://demo2.company.com:8443 到内部地址10.11.0.6: https://10.11.0.6:8443
但我收到 502 Bad Gateway 错误:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2048
tune.ssl.default-dh-param 2048
tune.maxrewrite 4096
user haproxy
group haproxy
# Default SSL material locations
ca-base /etc/ssl/certs/data.company.com/company.com.crt
crt-base /etc/ssl/certs/data.company.com/company.com.key
daemon
defaults
log global
mode http
option forwardfor
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2048
frontend cloud.company.com
bind *:8443 ssl crt /etc/ssl/certs/data.company.com/company.com.pem
http-request add-header X-forwarded-Proto: https
http-request add-header X-forwarded-Port: 8443
http-response add-header Strict-Transport-Security: max-age=15768000
log-format "%ci:%cp [%[src,map_ip(/etc/haproxy/haproxy_geo_ip.txt)]] [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
# --- GEO Block
acl acl_geoloc_block src,map_ip(/etc/haproxy/haproxy_geo_ip.txt) -m reg -i (CH|AT|DE|IT|FR)
use_backend block_geo if !acl_geoloc_block
# ---
acl is_demo1 ssl_fc -i demo1.company.com #10.11.0.2
acl is_demo2 ssl_fc -i demo2.company.com #10.11.0.6
use_backend demo1 if is_demo1
use_backend demo2 if is_demo2
backend block_geo
timeout tarpit 5s
errorfile 404 /etc/haproxy/errors/403.http
http-request tarpit deny_status 404
backend demo1
mode http
server demo1 10.11.0.2:8443 check
backend demo2
redirect scheme https if !{ ssl_fc }
server demo2 10.11.0.6:8443 check
我猜 SSL 有问题?
我想在前端使用我自己的 SSL。他不应该显示来自后端服务器的 SSL
我尝试了不同的 SSL 命令,但总是出现相同的错误。 我想从后端服务器获取http内容
我注意到两件事:
acl is_demo1 ssl_fc -i demo1.company.com #10.11.0.2
这些 ACL 看起来很奇怪,可能与您认为的不匹配。 ssl_fc
是布尔值,仅表示连接是否通过 SSL。 ssl_fc_sni
可以将 SNI 与您的域进行匹配,但 haproxy 手册建议改为依赖 HTTP 标头 host
,例如acl is_demo1 hdr(host) -i demo1.company.com
server
行缺少 ssl
关键字,例如server demo2 10.11.0.6:8443 check ssl verify none
或 server demo2 10.11.0.6:8443 check ssl verify required ca-file /path/to/ca/file
sni demo2.company.com
)才能正常工作