Haproxy acl规则适用于SSL-Java 学习之路

我需要为SSL配置Haproxy，这样如果某个关键字在URL中匹配，那么它应该转到非SSL端口（8080），对于其余的呼叫，它应该转到SSL端口8443 .

我为example.com分配了127.0.0.1，如果URL example.com在浏览器中输入，那么它将localhost指向我的机器 .

在前端SSL中，acl规则无法正常工作，因为具有操作“reporting”或“account_management”的URL不是指后端proxybackend . 即使URL有action = reporting，所有流量都会通过default_backend SSLappAPI .

是acl无法正常工作，因为我正在尝试使用非SSL端口进行SSL流量，或者我在以下haproxy配置中遇到任何问题 .

任何帮助都感激不尽

示例网址：https://example.com/api/?uid=NrpB1vfSR01KVsxw1YI5H4&action=reporting

frontend  main *:80

    acl is_api url_param(action) -i host_check
    use_backend appAPI      if is_api
    default_backend             appUI
    option             forwardfor

frontend ssl
    mode tcp
    bind *:443
    option tcplog
    acl server_ssl urlp_sub(action) -i reporting
    acl server_ssl urlp_sub(action) -i account_management
    acl server_ssl hdr(host) -i example.com
    acl server_ssl hdr_sub(host) -i example.com

    use_backend proxybackend if server_ssl
    default_backend             SSLappAPI
    option             forwardfor

backend appUI
    server      ui-server 127.0.0.1:8080 check maxconn 50#ui <- leave this format to allow for selective script replacement

backend appAPI
    server  api-server 127.0.0.1:8080 check maxconn 750#api <- leave this format to allow for selective script replacement
    timeout http-keep-alive 0s

backend SSLappAPI
    mode tcp
    server  api-server 127.0.0.1:8443 check maxconn 800#ssl <- leave this format to allow for selective script replacement

backend proxybackend
    server proxyserver 127.0.0.1:8080

1 回答

规则'req_ssl_sni'成功了 . 看起来像普通ACL不适用于SSL，这里'req_ssl_sni'将来救援 .

使用相同haproxy的2个SSL服务器的工作代码如下 . 下面的代码也适用于SSL证书，无需在haproxy服务器上安装组合的.PEM证书 .

前端ssl模式tcp ssl bind *：443选项tcplog

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

use_backend SSLappAPI if { req_ssl_sni -i anoexample.com }
use_backend proxybackend if { req_ssl_sni -i example.com }

default_backend             SSLappAPI

backend SSLappAPI
mode tcp
server  api-server 127.0.0.1:8443 check maxconn 800#ssl <- leave this format to allow for selective script replacement

backend proxybackend
mode tcp
#option nolinger
option tcplog
balance roundrobin
hash-type consistent
option srvtcpka

# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m

# make sure we cover type 1 (fallback)
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
tcp-response content accept if serverhello

# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello

#option ssl-hello-chk

server proxyserver 127.0.0.2:443

回复于 2024-04-29T13:10:58+08:00

Haproxy acl规则适用于SSL

1 回答

相关问题