首页 文章

主机头上的HAPROXY reqirep不转发

提问于
浏览
2

我有一个在haproxy版本1.5-dev19 2013/06/17后面运行的Web服务器(实际上它很重要)只接受某个内部域的请求,让我们称之为: internal-address . 这意味着,只有主机头后缀为 internal-address (如:Host:login.internal-address)时,HTTP请求才有效 .

来自WAN的用户可以通过连接到具有ip转发到内部服务器的外部地址来访问此Web服务器 . 但是当用户访问外部地址时,Host头后缀为 external-address ,haproxy后面的Web服务器拒绝该请求 .

我将reqirep条目添加到haproxy配置中:

global
    log 127.0.0.1   syslog info
    daemon
    user vcap
    group vcap
    maxconn 64000
    spread-checks 4

defaults
    log global
    timeout connect 30000ms
    timeout client 300000ms
    timeout server 300000ms

frontend http-in
    mode http
    bind :80
    option httplog
    option forwardfor
    reqadd X-Forwarded-Proto:\ http
    default_backend http-routers


frontend https-in
    mode http
    bind :443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem
    option httplog
    option forwardfor
    option http-server-close
    reqadd X-Forwarded-Proto:\ https
    default_backend http-routers

frontend ssl-in
    mode tcp
    bind :4443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem
    default_backend tcp-routers


backend http-routers
    mode http
    balance roundrobin
    reqirep ^Host:\ uaa.external-address       Host:\ uaa.internal-address
    reqirep ^Host:\ api.external-address       Host:\ api.internal-address
    reqirep ^Host:\ external-address:4443      Host:\ loggregator.internal-address:4443



        server node0 172.20.0.1:8888 check inter 1000



backend tcp-routers
    mode tcp
    balance roundrobin
    reqirep ^Host:\ external-address:4443      Host:\ loggregator.internal-address:4443


        server node0 172.20.0.1:8888 check inter 1000

并且发送到uaa.external-address或api.external-address的每个请求确实已更改,并且haproxy后面的Web服务器接收请求,就好像Host头后缀为internal-address一样 . 但第3条规则:

reqirep ^Host:\ external-address:4443      Host:\ loggregator.internal-address:4443

没有't work :( The web server'的访问日志显示主机头是从 external-address:4443 发送的,这意味着haproxy与主机头正确匹配,然后Web服务器拒绝该请求 . 客户发出的请求是:

WEBSOCKET REQUEST: [2014-10-01T10:25:07+03:00]
GET /tail/?app=029a1269-67fe-46e2-85f7-e1b0b5d34193 HTTP/1.1
Host: wss://external-address:4443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: [HIDDEN]
Origin: http://localhost
Authorization: [PRIVATE DATA HIDDEN]

有谁知道规则有什么问题?

EDIT:

我从后端删除了规则,并在前端创建了更多通用规则,它仍然不适用于websockets:

frontend https-in
    mode http
    bind :443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem
    option httplog
    option forwardfor
    option http-server-close
    reqadd X-Forwarded-Proto:\ https
    default_backend http-routers
    reqirep ^Host:\ (.*).external-address(.*)  Host:\ \1.internal-address\2


frontend ssl-in
    mode tcp
    bind :4443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem
    default_backend tcp-routers
    reqirep ^Host:\ (.*).external-address(.*)      Host:\ \1.internal-address\2

提前致谢 .

reverse-proxy cloudfoundry haproxy

1 回答

  • 1

    您运行的是哪个版本的HAProxy?如果是1.4,请在“默认值”部分添加“option http-server-close” .

    默认情况下,1.4处于隧道模式,这使HAProxy可以分析第一个请求和响应,并将后续请求和响应作为有效负载进行传输 .

    在1.5中,它应该开箱即用 . HAProxy使用新模式“http-keep-alive”,允许HAProxy始终分析所有内容 .

    巴蒂斯特

    回复于

相关问题