Https configuration for haproxy Learning

Https configuration for haproxy Learning
Some time ago, I wrote a few articles about learning haproxy. Today, we will introduce the https configuration of haproxy. We will not introduce the advantages of https. We will only introduce how to configure https and the application of https in the actual production environment. PS: All tests passed in haproxy1.5.4. The configuration parameters of haproxy1.3 and earlier haproxy versions may not be available. Note the version number. The following haproxy configuration is directly used in the online production environment. I. Business requirements currently have the following requirements based on actual business needs. 1.1 http redirect https redirects all the addresses of all request http://http.ilanni.com to https //: http.ilanni.com. 1.2 Both http and https servers enable both http://http.ilanni.com and https://http.ilanni.com access. 1.3 https between different domain names of the same server and http the same server to http.ilanni.com domain access all jump to the https://http.ilanni.com, And to haproxy.ilanni.com access to the http protocol, that is, jump to the http://haproxy.ilanni.com address. 1.4 multiple domain names on the same server Use https. The same server uses http protocol to access http.ilanni.com and haproxy.ilanni.com. 2. Configure haproxy and test the business needs. Now we can configure haproxy to meet the business needs one by one. 2.1 http jump https configuration to be honest, the https configuration of haproxy is much simpler than nginx configuration. We only need to add a few lines of code to implement the https function. The content of the haproxy configuration file for http redirect to https is as follows: global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 uid 188 gid 188 daemon tune. ssl. default-dh-param 2048 defaults log global mode http option httplog option dontlognull option http-server-close option forwardfor processing t 127.0.0.1 option redispatch retries 3 option redispatch maxconn 2000 timeout http-request 10 s timeout queue 1 m timeout connect 10 s ti Meout client 1 m timeout server 1 m timeout http-keep-alive 10 s timeout check 10 s maxconn 3000 listen admin_stats bind 0.0.0.0: 1080 mode http option httplog maxconn 10 stats refresh 30 s stats uri/stats auth admin: admin stats hide-version frontend weblb bind *: 80 acl is_http hdr_beg (host) http.ilanni.com redirect scheme https if! {Ssl_fc} bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem use_backend httpserver if is_http backend httpserver balance source server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 in the above configuration file, note the following options: tune. ssl. the default-dh-param 2048 is declared here because our SSL key uses 2048bit encryption. Acl is_http hdr_beg (host) http.ilanni.com redirect scheme https if! {Ssl_fc} bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem these three lines indicate that all requests to access the http.ilanni.com domain name are forwarded to the https://http.ilanni.com connection. 2.2 After the http jump https configuration is complete, we choose to test its jump. As follows: you will find that in the browser, whether you enter http.ilanni.com, http://http.ilanni.com or https://http.ilanni.com, will automatically jump to the https://http.ilanni.com. In this way, all http requests are redirected to https. 2.3 If http and https coexist, configure haproxy to implement both http and https, and configure haproxy to monitor different ports separately. The configuration file is as follows: global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 user haproxy group haproxy daemon tune. ssl. default-dh-param 2048 defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 timeout connect 5000 ms timeout client 50000 ms timeout server 50000 ms listen adm In_stats bind 0.0.0.0: 1080 mode http option httplog maxconn 10 stats refresh 30 s stats uri/stats auth admin: admin stats hide-version frontend weblb bind *: 80 acl is_http hdr_beg (host) http.ilanni.com use_backend httpserver if is_http backend httpserver balance source server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 frontend weblb443 bind *: 443 ssl crt/etc/hap Roxy/ilanni.com. pem acl is_443 hdr_beg (host) http.ilanni.com use_backend httpserver443 if is_443 backend httpserver443 balance source server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 in the preceding configuration file, we have defined two front ends. One front end is used to listen to port 80, that is, the http protocol. Another frontend listens to port 443, that is, the https protocol. At this time, haproxy will distribute requests based on the protocol requested by the client. If the client requests an http protocol, the request will be distributed to the front end of the listening port 80. If the client requests https, the request is distributed to the front-end of the listening port 443. In this way, the haproxy requires that http and https coexist. 2.4 After both http and https are tested and configured, we choose to test the redirection. As follows: through the test you will find that in the browser if you enter a http://http.ilanni.com or http.ilanni.com will jump directly to the http://http.ilanni.com, and enter a https://http.ilanni.com, will only jump to the https://http.ilanni.com. As a result, our business needs to coexist with http and https. 2.5 https and http configurations for different domain names on the same server the http and https configurations for different domain names on the same server are complicated. First, you need to listen to two ports, and second, you need to distribute the requests based on different domain names. The haproxy configuration file is as follows: global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 uid 188 gid 188 daemon tune. ssl. default-dh-param 2048 defaults log global mode http option httplog option dontlognull option http-server-close option forwardfor processing t 127.0.0.1 option redispatch retries 3 option redispatch maxconn 2000 timeout http-request 10 s timeout queue 1 m timeout connect 10 s timeout client 1 m Timeout server 1 m timeout http-keep-alive 10 s timeout check 10 s maxconn 3000 listen admin_stats bind 0.0.0.0: 1080 mode http option httplog maxconn 10 stats refresh 30 s stats uri/stats auth admin: admin stats hide-version frontend weblb bind *: 80 acl is_haproxy hdr_beg (host) haproxy.ilanni.com acl is_http hdr_beg (host) http.ilanni.com redirect prefix https://http.ilanni.com if is_http use_ba Ckend haproxyserver if your backend haproxyserver balance source server web1 127.0.0.1: 9090 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 frontend release bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem acl is_443 hdr_beg (host) http.ilanni.com use_backend httpserver443 if is_443 backend httpserver443 balance source server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 https and http configurations for different domain names on the same server. We have configured two frontend servers to listen to port 80 and redirect requests based on different domain names. In Port 80 Rules, if the client requests http.ilanni.com, the domain name, haproxy will redirect the request directly to the https://http.ilanni.com. If the domain name is haproxy.ilanni.com, it is distributed to the backend server. Another front end is used to listen to port 443 for distributing requests from the client https://http.ilanni.com. 2.6 test the configuration of https and http between different domain names of the same server and different domain names of the same server. After the configuration is complete, let's test the configuration. As follows: through, we can find in the browser input haproxy.ilanni.com will jump to the http://haproxy.ilanni.com address, and if the input is http.ilanni.com, or http://http.ilanni.com, will jump to the https://http.ilanni.com. So we met our business requirements, access to haproxy.ilanni.com on the same server directly jump to port 80, if the access is http.ilanni.com domain name, then jump to the https://http.ilanni.com address. 2.7 It is easy to configure multiple domain names on the same server using https. You only need to enable the respective https configuration in haproxy. The haproxy configuration file is as follows: global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 uid 108 gid 116 daemon tune. ssl. default-dh-param 2048 defaults log global mode http option httplog option dontlognull option http-server-close option forwardfor partition t 127.0.0.1 option redispatch retries 3 option redispatch timeout http-request 10 s timeout queue 1 m timeout connect 10 s timeout client 1 m timeout ser Ver 1 m timeout http-keep-alive 10 s timeout check 10 s maxconn 3000 listen admin_stats bind 0.0.0.0: 1080 mode http option httplog maxconn 10 stats refresh 30 s stats uri/stats auth admin: admin stats hide-version frontend web80 bind *: 80 acl is_http hdr_beg (host) http.ilanni.com redirect scheme https if! {Ssl_fc} bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem acl is_haproxy hdr_beg (host) haproxy.ilanni.com redirect scheme https if! {Ssl_fc} bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem use_backend httpserver if is_http use_backend haproxyserver if your backend httpserver balance source server web1 127.0.0.1: 6060 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 backend haproxyserver balance source server web1 balance: 9090 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 configuration file is relatively simple and will not be further explained here. 2.8 test if multiple domain names on the same server Use https and multiple domain names on the same server Use https. After the configuration is complete, let's test it now. Through, we can see in the browsing whether it is input http.ilanni.com, http://http.ilanni.com, or haproxy.ilanni.com, http://haproxy.ilanni.com, will jump to the corresponding https address. This also meets our business requirements.