Linux-haproxy实现https
作者:互联网
设备
centos7 10.0.0.27 client 客户端
centos7 10.0.017 haproxy服务器
centos8 10.0.0.8 httpd服务器
centos8 10.0.0.18 httpd服务器
haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信 但基于性能考虑,生产中证书都是在后端服务器比如nginx、apache上实现
证书制作 haproxy服务器
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#openssl genrsa -out haproxy.key 2048 Generating RSA private key, 2048 bit long modulus ................+++ ............+++ e is 65537 (0x10001) [root@centos7-liyj /etc/haproxy/conf.d/ssl]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.lyj.org" -keyout haproxy.key -nodes -x509 -out haproxy.crt Generating a 1024 bit RSA private key ...........++++++ ......................++++++ writing new private key to 'haproxy.key' ----- [root@centos7-liyj /etc/haproxy/conf.d/ssl]#ll total 8 -rw-r--r-- 1 root root 745 Jun 18 17:15 haproxy.crt -rw-r--r-- 1 root root 916 Jun 18 17:15 haproxy.key [root@centos7-liyj /etc/haproxy/conf.d/ssl]#cat haproxy.key haproxy.crt >haproxy.pem #指令 crt 后证书文件为PEM格式,需要同时包含证书和所有私钥
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#openssl x509 -in haproxy.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cd:77:70:77:7c:c8:de:d6
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=www.lyj.org
Validity
Not Before: Jun 18 09:15:43 2022 GMT
Not After : Jul 18 09:15:43 2022 GMT
Subject: CN=www.lyj.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cf:d6:3c:38:df:81:f0:cc:0c:7d:8b:18:68:ba:
41:5f:e5:40:24:e8:b1:ea:48:ab:98:f1:da:eb:3a:
89:fd:8a:d4:09:a1:30:95:99:cd:70:79:14:e0:41:
0b:87:65:7f:c2:1e:fb:72:77:79:92:64:52:6b:2d:
85:1e:47:7c:62:21:cd:22:a8:fe:87:d8:12:a3:01:
ce:73:2e:8a:05:f5:0b:5e:48:f1:20:8d:23:07:5b:
e1:bd:4b:54:3d:44:ff:b8:f3:28:59:9f:a6:8d:10:
b7:b5:11:b1:0e:79:8c:5c:97:68:c9:ae:80:41:d6:
9d:f8:d7:7f:58:5f:68:dd:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
57:C7:5F:61:84:1A:E4:3D:76:B0:67:30:D1:AA:D9:11:BF:D7:F5:8C
X509v3 Authority Key Identifier:
keyid:57:C7:5F:61:84:1A:E4:3D:76:B0:67:30:D1:AA:D9:11:BF:D7:F5:8C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
c2:7d:b6:e7:fd:10:04:cd:ac:1e:16:8a:af:17:65:e6:0d:6b:
40:a4:fa:d3:5e:e7:59:bd:fa:c2:d7:de:7e:8f:a7:47:3e:a5:
37:56:b3:c8:1b:a5:1a:68:42:ab:4e:2e:13:d7:29:18:c6:5b:
2a:53:c6:99:98:38:85:04:60:34:a1:b0:4c:13:70:6d:28:a8:
8b:74:a2:0f:58:a4:34:b5:d1:44:29:a5:85:06:ca:10:e2:7a:
6c:f5:48:46:bc:94:bf:bb:e8:76:65:06:66:02:ed:97:df:52:
d7:23:3b:a7:b8:26:27:e4:f0:c5:6b:1d:4f:aa:04:7d:1f:81:
e2:fa
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#ll
total 12
-rw-r--r-- 1 root root 745 Jun 18 17:15 haproxy.crt
-rw-r--r-- 1 root root 916 Jun 18 17:15 haproxy.key
-rw-r--r-- 1 root root 1661 Jun 18 17:16 haproxy.pem
[root@centos7-liyj /etc/haproxy/conf.d/ssl]#cat haproxy.pem
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAM/WPDjfgfDMDH2L
GGi6QV/lQCTosepIq5jx2us6if2K1AmhMJWZzXB5FOBBC4dlf8Ie+3J3eZJkUmst
hR5HfGIhzSKo/ofYEqMBznMuigX1C15I8SCNIwdb4b1LVD1E/7jzKFmfpo0Qt7UR
sQ55jFyXaMmugEHWnfjXf1hfaN3fAgMBAAECgYEApX84sSj5NZ+mCooqQ6qcyBmq
/Dj3A1IeoklkQ493thdIROq/30B7oKYqA3CIF6axFwjIvRt6CSItpv62U6gk2Cgj
3p0Nyln8zD5fJxtdTtFhea5vOGQGfKDuNHCocaRk2dh3i3C8AwgODxgc0gH81DY5
36AVDaDBQGrijlD1DbECQQDpoYUjtW60Qdi9o693fqJZdL7BJ1EXYBYruCB22sYT
Y6nYgSXL4GWLW5DzSvgkgT0d1oznfMQPHOHzg1jLUBKbAkEA47x7UxcVluJFtAun
/IY+ByzOQEprZpRYoQZf1xb2CXDSCx2LPg9YlfHwxtDcRDGZ19Nfr3Q2Rvmcz5UY
FECEDQJBANYCiBQywWrLmn/0ren3DT6Gi6ohms2fzg9URiC5vJHMTKwveXDtZ/ck
9H14oh/GZzaq7z2pc2somO3Y1oC/I5sCQDFFXx0r+mTJkbERcIfG93aP8BOixjfM
UpyMB4I+mn6SZS84dh64LT9Lt/8bwvwSCynRtnr8Vp3mdVHH/QyspKUCQQCI22V6
Y9tCWknoS/APrIzL63EGzBR37E3s6sm04QhlSriK0Zmd4EeoyYImS9omdYHhYn6F
drbNhUlHKuxfS1mf
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIB+jCCAWOgAwIBAgIJAM13cHd8yN7WMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC3d3dy5seWoub3JnMB4XDTIyMDYxODA5MTU0M1oXDTIyMDcxODA5MTU0M1ow
FjEUMBIGA1UEAwwLd3d3Lmx5ai5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAM/WPDjfgfDMDH2LGGi6QV/lQCTosepIq5jx2us6if2K1AmhMJWZzXB5FOBB
C4dlf8Ie+3J3eZJkUmsthR5HfGIhzSKo/ofYEqMBznMuigX1C15I8SCNIwdb4b1L
VD1E/7jzKFmfpo0Qt7URsQ55jFyXaMmugEHWnfjXf1hfaN3fAgMBAAGjUDBOMB0G
A1UdDgQWBBRXx19hhBrkPXawZzDRqtkRv9f1jDAfBgNVHSMEGDAWgBRXx19hhBrk
PXawZzDRqtkRv9f1jDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAMJ9
tuf9EATNrB4Wiq8XZeYNa0Ck+tNe51m9+sLX3n6Pp0c+pTdWs8gbpRpoQqtOLhPX
KRjGWypTxpmYOIUEYDShsEwTcG0oqIt0og9YpDS10UQppYUGyhDiemz1SEa8lL+7
6HZlBmYC7ZffUtcjO6e4Jifk8MVrHU+qBH0fgeL6
-----END CERTIFICATE-----
证书内容
https配置 hproxy服务器
frontend N65_web_https
bind 10.0.0.17:80
###########################acl setting######################
#acl acl_static path_beg -i /static /images /javascript
#acl acl_static path_end -i .jpg .jpeg .png .gif .css .js .html .htm
#acl acl_app path_beg -i /api
bind 10.0.0.17:443 ssl crt /etc/haproxy/conf.d/ssl/haproxy.pem #支持https协议,支持ssl会话
redirect scheme https if !{ ssl_fc } #把80端口的请求重向定443
use_backend httpd_https
###########################acl hosts######################
#use_backend N65_webserver
#use_backend static_hosts if acl_static
#default_backend app_hosts
backend httpd_https
server 10.0.0.8 10.0.0.8:80 check
server 10.0.0.18 10.0.0.18:80 check
#backend static_hosts
# server 10.0.0.8 10.0.0.8:80 check
#backend app_hosts
# server 10.0.0.18 10.0.0.18:80 check
#backend N65_webserver
# server 10.0.0.8 10.0.0.8:80
# server 10.0.0.18 10.0.0.18:80
补充
#向后端传递用户请求的协议和端口(frontend或backend)
http_request set-header X-Forwarded-Port %[dst_port]
http_request add-header X-Forwared-Proto https if { ssl_fc }
日志开启IP透传
测试
[root@centos7-liyj ~]#curl -k https://www.lyj.org/ 10.0.0.8 [root@centos7-liyj ~]#curl -k https://www.lyj.org/ 10.0.0.18 [root@centos7-liyj ~]#curl -k https://www.lyj.org/ 10.0.0.8 [root@centos7-liyj ~]#curl -k https://www.lyj.org/ 10.0.0.18 [root@centos7-liyj ~]#curl -k https://www.lyj.org/ 10.0.0.8
标签:haproxy,10.0,centos7,ssl,https,Linux,root 来源: https://www.cnblogs.com/lyj1023/p/16388861.html