Manuelle HAProxy Konfiguration: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(3 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
=Schaubild=
+
*[[HAProxy mit Wildcard Zertifikaten und 2 Servern]]
*Eine Anfrage kommt beim HAProxy an
+
*[[HAProxy Round Robin mit Selbstsignierten Zertifikat]]
*Sie geht in einem Frontend ein
 
*Es wird anhand einer ACL ein passendes Backend gewählt.
 
*Dort ist die Verbindung zu realen Server hinterlegt.
 
{{#drawio:haproxy-3}}
 
 
 
=Domaine=
 
*Letscrypt Wildcard Zertifikate ist vorhanden
 
*schmeich.de
 
=Zertfikat und Key zusammenfügen=
 
*cd /etc/letsencrypt/live/schmeich.int
 
*cat fullchain.pem privkey.pem > /etc/haproxy/ssl/schmeich.pem
 
 
 
=HTTPS Proxy mit mehren Webservern=
 
<pre>
 
global
 
log /dev/log local0
 
log /dev/log local1 notice
 
chroot /var/lib/haproxy
 
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
 
stats timeout 30s
 
user haproxy
 
group haproxy
 
daemon
 
 
 
# Default SSL material locations
 
ca-base /etc/ssl/certs
 
crt-base /etc/ssl/private
 
 
 
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
 
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA
 
-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
 
 
defaults
 
log global
 
mode http
 
option httplog
 
option dontlognull
 
        timeout connect 5000
 
        timeout client  50000
 
        timeout server  50000
 
errorfile 400 /etc/haproxy/errors/400.http
 
errorfile 403 /etc/haproxy/errors/403.http
 
errorfile 408 /etc/haproxy/errors/408.http
 
errorfile 500 /etc/haproxy/errors/500.http
 
errorfile 502 /etc/haproxy/errors/502.http
 
errorfile 503 /etc/haproxy/errors/503.http
 
errorfile 504 /etc/haproxy/errors/504.http
 
 
 
# Frontend: Public-Service ()
 
frontend Public-Service
 
    bind 194.59.156.165:443 name 194.59.156.165:443 ssl  crt /etc/haproxy/ssl/schmeich.pem
 
    mode http
 
    option http-keep-alive
 
    option forwardfor
 
    timeout client 30s
 
    acl acl_hertha hdr_beg(host)  -i hertha
 
    acl acl_maria hdr_beg(host)  -i maria
 
    use_backend backend_hertha if acl_hertha
 
    use_backend backend_maria  if acl_maria
 
 
 
frontend Public-Service-Http
 
    bind 194.59.156.165:80 name 194.59.156.165:80
 
    mode http
 
    option http-keep-alive
 
    option forwardfor
 
    timeout client 30s
 
  acl acl_http req.proto_http
 
    http-request redirect code 301 scheme https if acl_http
 
 
 
backend backend_hertha
 
    mode http
 
    balance source
 
    stick-table type ip size 50k expire 30m
 
    stick on src
 
    timeout connect 30s
 
    timeout server 30s
 
    http-reuse safe
 
    #server hertha 10.82.228.11:443 ssl verify none
 
    server hertha 10.82.228.11:80
 
 
 
 
 
backend backend_maria
 
    mode http
 
    balance source
 
    stick-table type ip size 50k expire 30m
 
    stick on src
 
    timeout connect 30s
 
    timeout server 30s
 
    http-reuse safe
 
    #server maria 10.82.228.12:443
 
</pre>
 
 
 
=Test=
 
*haproxy -c -f  /etc/haproxy/haproxy.cfg
 
Configuration file is valid
 
 
 
=sources=
 
*https://gridscale.io/community/tutorials/haproxy-ssl/
 
*https://www.meshcloud.io/en/2017/04/18/pem-file-layout-for-haproxy/
 

Aktuelle Version vom 26. September 2022, 19:52 Uhr

Abgerufen von „http://wiki.ixheim.de/index.php?title=Manuelle_HAProxy_Konfiguration&oldid=36410