我已经设置了一个HAProxy实例,应该:
为了演示,我创建了一个缩短的HAProxy配置,如下所示:
global
log 127.0.0.1 local0
maxconn 8000
user nobody
group nogroup
daemon
debug
#quiet
stats socket /var/run/haproxy.sock mode 600 level admin
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
tune.ssl.default-dh-param 2048
defaults
log global
mode http
balance roundrobin
option dontlognull
option abortonclose
option redispatch
retries 3
maxconn 18000
timeout connect 30s
timeout client 30s
timeout server 30s
frontend test.local
bind 0.0.0.0:8443
reqadd X-Forwarded-Proto:\ https
option forwardfor
acl api_statusio path_beg -i /status/1.0
use_backend api_statusio if api_statusio
backend api_statusio
option httpchk GET / HTTP/1.1\r\nHost:\ letsencrypt.status.io
http-request set-header Host letsencrypt.status.io
server test2 143.204.101.51:443 ssl check ca-file /etc/ssl/certs/ca-certificates.crt sni str(letsencrypt.status.io) check-ssl check-sni str(letsencrypt.status.io)
例如,这可以使用google.com作为上游,但没有status.io-resource(在这里letsencrypt.status.io只是一个示例):
root@edc5cab629ae:/# haproxy -f ./haproxy.cfg
[WARNING] 274/160954 (2642) : parsing [./haproxy.cfg:37] : The 'reqadd' directive is deprecated in favor of 'http-request add-header' and will be removed in next version.
[WARNING] 274/160954 (2642) : <debug> mode incompatible with <quiet> and <daemon>. Keeping <debug> only.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
Using epoll() as the polling mechanism.
fd[0013] OpenSSL error[0x14094410] ssl3_read_bytes: sslv3 alert handshake failure
[WARNING] 274/160955 (2642) : Server api_statusio/test2 is DOWN, reason: Socket error, info: "SSL handshake failure", check duration: 111ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 274/160955 (2642) : backend 'api_statusio' has no server available!
fd[0014] OpenSSL error[0x14094410] ssl3_read_bytes: sslv3 alert handshake failure
fd[0014] OpenSSL error[0x14094410] ssl3_read_bytes: sslv3 alert handshake failure
如果我使用openssl s_client作为快速检查,这似乎可以正常工作。
对此进行了测试:
有什么想法吗?
server test2 143.204.101.51:443 ssl check ca-file /etc/ssl/certs/ca-certificates.crt sni str(letsencrypt.status.io) check-ssl check-sni str(letsencrypt.status.io)
应该是
server test2 143.204.101.51:443 ssl check ca-file /etc/ssl/certs/ca-certificates.crt sni str(letsencrypt.status.io) check-ssl check-sni letsencrypt.status.io
这有效。解决此问题后,我遇到了使用具有多个上游的服务器模板的类似问题,在此处进行了描述:https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=21944019cabcb46ceb95b7fd925528b9dace4e35(但这是一个不同的主题)