moneyslow.com

haproxy代理后端是https并且忽略域名证书验证

from

moneyslow
of

对于后端是强制https认证,但是是IP地址的情况:https://192.168.0.2,在前面加haproxy配置证书,haproxy的配置文件例子:

global
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

tune.ssl.default-dh-param 2048

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend https_frontend
      mode http
      bind *:443 ssl crt  /etc/ssl/dh.moneyslow.com.pem
      log global
      default_backend   http_servers

backend http_servers
      mode http
      server http_server1 192.168.0.2 check port 443 ssl verify none

检查配置文件语法:

haproxy -f /etc/haproxy/haproxy.cfg -c

systemctl start haproxy
保障启动服务后的状态正确:

# systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2025-02-17 16:07:52 CST; 16h ago
  Process: 14723 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 14737 (haproxy)
    Tasks: 2 (limit: 23255)
   Memory: 7.7M
   CGroup: /system.slice/haproxy.service
           ├─14737 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d -p /run/haproxy.pid
           └─14740 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d -p /run/haproxy.pid

Feb 17 16:07:52 bh systemd[1]: haproxy.service: Succeeded.
Feb 17 16:07:52 bh systemd[1]: Stopped HAProxy Load Balancer.
Feb 17 16:07:52 bh systemd[1]: Starting HAProxy Load Balancer...
Feb 17 16:07:52 bh systemd[1]: Started HAProxy Load Balancer.