ROTTEN: haproxy learning https configuration, haproxyhttps
 
This article is sponsored by ilanniweb and first published onThe world
 
For more articles, follow my ilanniweb.
 
Some time ago, I wrote a few articles about learning haproxy. Today, we will introduce the https configuration of haproxy. We will not introduce the advantages of https.
 
We will only introduce how to configure https and the application of https in the actual production environment.
 
PS: All tests passed in haproxy1.5.4. The configuration parameters of haproxy1.3 and earlier haproxy versions may not be available. Note the version number.
 
The following haproxy configuration is directly used in the online production environment.
 
I. Business Requirements
 
According to the actual needs of the business, there are several different requirements. As follows:
 
1.1 httpJump to https
 
Redirect the addresses of all request http://http.ilanni.com to https //: http.ilanni.com.
 
1.2 httpCoexistence with https
 
The server opens the form of http://http.ilanni.com and https://http.ilanni.com access at the same time.
 
1.3Https and http between different domain names of the same server
 
All access to the http.ilanni.com domain name on the same server is directed to the https://http.ilanni.com, and access to haproxy.ilanni.com is directed to the http://haproxy.ilanni.com address.
 
1.4Multiple Domain names on the same server Use https
 
The same server uses http protocol to access http.ilanni.com and haproxy.ilanni.com.
 
2. Configure haproxy and test Business Requirements
 
Now we can configure haproxy to meet our business needs one by one.
 
2.1 httpRedirect https Configuration
 
To be honest, the https configuration of haproxy is much simpler than that of nginx. We only need to add a few lines of code to implement the https function.
 
The content of the haproxy configuration file for http redirect to https is as follows:
 
Global
 
Log 127.0.0.1 local0
 
Log 127.0.0.1 local1 notice
 
Maxconn 4096
 
Uid 188
 
Gid 188
 
Daemon
 
Tune. ssl. default-dh-param 2048
 
Ults
 
Log global
 
Mode http
 
Option httplog
 
Option dontlognull
 
Option http-server-close
 
Option forwardfor partition t 127.0.0.1
 
Option redispatch
 
Retries 3
 
Option redispatch
 
Maxconn 2000
 
Timeout http-request 10 s
 
Timeout queue 1 m
 
Timeout connect 10 s
 
Timeout client 1 m
 
Timeout server 1 m
 
Timeout http-keep-alive 10 s
 
Timeout check 10 s
 
Maxconn 3000
 
Listen admin_stats
 
Bind 0.0.0.0: 1080
 
Mode http
 
Option httplog
 
Maxconn 10
 
Stats refresh 30 s
 
Stats uri/stats
 
Stats auth admin: admin
 
Stats hide-version
 
Frontend weblb
 
Bind *: 80
 
Acl is_http hdr_beg (host) http.ilanni.com
 
Redirect scheme https if! {Ssl_fc}
 
Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem
 
Use_backend httpserver if is_http
 
Backend httpserver
 
Balance source
 
Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
Note the following options in the preceding configuration file:
 
Tune. ssl. default-dh-param 2048 is declared here because our SSL key uses 2048bit encryption.
 
Acl is_http hdr_beg (host) http.ilanni.com
 
Redirect scheme https if! {Ssl_fc}
 
Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem
 
These three lines indicate that all requests to access the http.ilanni.com domain name are forwarded to the https://http.ilanni.com connection.
 
2.2Test http redirect https
 
After the http jump https configuration is complete, we choose to test its jump. As follows:
 
You will find that in the browser, whether you enter http.ilanni.com, http://http.ilanni.com or https://http.ilanni.com, will automatically jump to the https://http.ilanni.com.
 
In this way, all http requests are redirected to https.
 
2.3 httpCoexistence with https
 
To achieve coexistence of http and https, haproxy is easy to configure. You only need to monitor different ports of haproxy. The configuration file is as follows:
 
Global
 
Log 127.0.0.1 local0
 
Log 127.0.0.1 local1 notice
 
Maxconn 4096
 
User haproxy
 
Group haproxy
 
Daemon
 
Tune. ssl. default-dh-param 2048
 
Ults
 
Log global
 
Mode http
 
Option httplog
 
Option dontlognull
 
Retries 3
 
Option redispatch
 
Maxconn 2000
 
Timeout connect 5000 ms
 
Timeout client 50000 ms
 
Timeout server 50000 ms
 
Listen admin_stats
 
Bind 0.0.0.0: 1080
 
Mode http
 
Option httplog
 
Maxconn 10
 
Stats refresh 30 s
 
Stats uri/stats
 
Stats auth admin: admin
 
Stats hide-version
 
Frontend weblb
 
Bind *: 80
 
Acl is_http hdr_beg (host) http.ilanni.com
 
Use_backend httpserver if is_http
 
Backend httpserver
 
Balance source
 
Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
Frontend weblb443
 
Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem
 
Acl is_443 hdr_beg (host) http.ilanni.com
 
Use_backend httpserver443 if is_443
 
Backend httpserver443
 
Balance source
 
Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
In the preceding configuration file, we define two front ends. One front end is used to listen to port 80, that is, the http protocol. Another frontend listens to port 443, that is, the https protocol.
 
At this time, haproxy will distribute requests based on the protocol requested by the client. If the client requests an http protocol, the request will be distributed to the front end of the listening port 80. If the client requests https, the request is distributed to the front-end of the listening port 443. In this way, the haproxy requires that http and https coexist.
 
2.4Test coexistence of http and https
 
After both http and https are configured, we choose to test its redirection. As follows:
 
Through the test you will find that in the browser if you enter a http://http.ilanni.com or http.ilanni.com will jump directly to the http://http.ilanni.com, and enter a https://http.ilanni.com, it will only jump to the https://http.ilanni.com.
 
As a result, our business needs to coexist with http and https.
 
2.5Https and http configurations for different domain names on the same server
 
The http and https configurations for different domain names on the same server are complex. First, you need to listen to two ports, and then distribute the requests based on different domain names.
 
The haproxy configuration file is as follows:
 
Global
 
Log 127.0.0.1 local0
 
Log 127.0.0.1 local1 notice
 
Maxconn 4096
 
Uid 188
 
Gid 188
 
Daemon
 
Tune. ssl. default-dh-param 2048
 
Ults
 
Log global
 
Mode http
 
Option httplog
 
Option dontlognull
 
Option http-server-close
 
Option forwardfor partition t 127.0.0.1
 
Option redispatch
 
Retries 3
 
Option redispatch
 
Maxconn 2000
 
Timeout http-request 10 s
 
Timeout queue 1 m
 
Timeout connect 10 s
 
Timeout client 1 m
 
Timeout server 1 m
 
Timeout http-keep-alive 10 s
 
Timeout check 10 s
 
Maxconn 3000
 
Listen admin_stats
 
Bind 0.0.0.0: 1080
 
Mode http
 
Option httplog
 
Maxconn 10
 
Stats refresh 30 s
 
Stats uri/stats
 
Stats auth admin: admin
 
Stats hide-version
 
Frontend weblb
 
Bind *: 80
 
Acl is_haproxy hdr_beg (host) haproxy.ilanni.com
 
Acl is_http hdr_beg (host) http.ilanni.com
 
Redirect prefix https://http.ilanni.com if is_http
 
Use_backend haproxyserver if is_haproxy
 
Backend haproxyserver
 
Balance source
 
Server web1 127.0.0.1: 9090 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
Frontend weblb443
 
Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem
 
Acl is_443 hdr_beg (host) http.ilanni.com
 
Use_backend httpserver443 if is_443
 
Backend httpserver443
 
Balance source
 
Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
For https and http configurations between different domain names on the same server, we have configured two frontend servers for listening to port 80 and redirection based on different domain names. In Port 80 Rules, if the client requests http.ilanni.com, the domain name, haproxy will redirect the request directly to the https://http.ilanni.com. If the domain name is haproxy.ilanni.com, it is distributed to the backend server.
 
Another front end is used to listen to port 443 for distributing requests from the client https://http.ilanni.com.
 
2.6Test the https and http configurations between different domain names of the same server
 
After configuring https and http for different domain names on the same server, let's test now. As follows:
 
Through, we can find in the browser input haproxy.ilanni.com will jump to the http://haproxy.ilanni.com address, and if the input is http.ilanni.com, or http://http.ilanni.com, will jump to the https://http.ilanni.com.
 
So we met our business requirements, access to haproxy.ilanni.com on the same server directly jump to port 80, if the access is http.ilanni.com domain name, then jump to the https://http.ilanni.com address.
 
2.7Multiple Domain names on the same server Use https Configuration
 
To enable the two settings of the same server to Use https for multiple domain names, the configuration is very simple. You only need to enable the respective https configuration in haproxy.
 
The haproxy configuration file is as follows:
 
Global
 
Log 127.0.0.1 local0
 
Log 127.0.0.1 local1 notice
 
Maxconn 4096
 
Uid 108
 
Gid 116
 
Daemon
 
Tune. ssl. default-dh-param 2048
 
Ults
 
Log global
 
Mode http
 
Option httplog
 
Option dontlognull
 
Option http-server-close
 
Option forwardfor partition t 127.0.0.1
 
Option redispatch
 
Retries 3
 
Option redispatch
 
Timeout http-request 10 s
 
Timeout queue 1 m
 
Timeout connect 10 s
 
Timeout client 1 m
 
Timeout server 1 m
 
Timeout http-keep-alive 10 s
 
Timeout check 10 s
 
Maxconn 3000
 
Listen admin_stats
 
Bind 0.0.0.0: 1080
 
Mode http
 
Option httplog
 
Maxconn 10
 
Stats refresh 30 s
 
Stats uri/stats
 
Stats auth admin: admin
 
Stats hide-version
 
Frontend web80
 
Bind *: 80
 
Acl is_http hdr_beg (host) http.ilanni.com
 
Redirect scheme https if! {Ssl_fc}
 
Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem
 
Acl is_haproxy hdr_beg (host) haproxy.ilanni.com
 
Redirect scheme https if! {Ssl_fc}
 
Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem
 
Use_backend httpserver if is_http
 
Use_backend haproxyserver if is_haproxy
 
Backend httpserver
 
Balance source
 
Server web1 127.0.0.1: 6060 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
Backend haproxyserver
 
Balance source
 
Server web1 127.0.0.1: 9090 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
 
The configuration file is relatively simple and will not be further explained here.
 
2.8Test that multiple domain names on the same server Use https
 
Https is used for multiple domain names on the same server. After configuration, let's test it now.
 
Through, we can see in the browsing whether it is input http.ilanni.com, http://http.ilanni.com, or haproxy.ilanni.com, http://haproxy.ilanni.com, will jump to the corresponding https address.
 
This also meets our business requirements.