Haproxy-1.5.x SSL Configuration

Source: Internet
Author: User
Tags begin rsa private key ssl certificate haproxy

Haproxy-1.5.x SSL Configuration

The haproxy-1.4 version agent is always used, and ssl configuration is not supported, the haproxy-1.5 version is supported, so the version is updated for testing. You can use the original apache ssl Certificate file for simple processing on haproyx.

Originally intended to use haproxy-1.4 penetration, but to back-end servers to configure ssl, so configured on the Haproyx-1.5, ssl terminal CA authentication.

1. Install

# Yum install pcre-devel openssl-devel-y

# Tar zxvf haproxy-1.5.3.tar.gz

# Cd haproxy-1.5.3

# Make TARGET = linux26 USE_STATIC_PCRE = 1 USE_REGPARM = 1 USE_LINUX_TPROXY = 1 USE_OPENSSL = 1 USE_ZLIB = 1 ARCH = x86_64

# Make install PREFIX =/usr/local/haproxy

# Cd/usr/local/haproxy

# Mkdir conf

2. Prepare the pem Certificate file

The apache ssl CA authentication configuration file has been configured before. The cer file and the key file. The pem file combines the first two files for use.

# Cat my-server.cer my-server.key | tee my-server.pem

----- Begin certificate -----
Miid3zcca0igawibagipbwacibqbfaaaacfun1ma0gcsqgsib3dqebbquamiib
JDENMAsGA1UEBh4EAEMATjEbMBkGA1UECB4SAEcAdQBhAG4AZwBkAG8AbgBnMRsw
GQYDVQQHHhIARwB1AGEAbgBnAHoAaABvAHUxPTA7BgNVBAoeNABHAEQAQwBBACAA
Qwblhiadabpagyaaqbjageadablacaaqqb1ahqaaabvahiaaqb0ahkxrzbfbgnv
Basepgbhahuayqbuagcazabvag4azwagaemazqbyahqaaqbmagwbhahqazqag
AEEAdQB0AGgAbwByAGkAdAB5MVEwTwYDVQQDHkgARwBEAEMAQQAgAEcAdQBhAG4A
Zwbkag8abgbnacaaqwblhiadabpagyaaqbjageadablacaaqqb1ahqaaabvahia
AQB0AHkwHhcNMTQwMTEzMTYwMDAwWhcNMTkwMTMwMTYwMDAwWjCBrjENMAsGA1UE
Bytes
BAoeIG0LbWZ + z21OXwBT0VM6e6F0BlnUVFhPGk/hYG9OLV/DMSkwJwYDVQQLHiBt
Bytes
AC4AMQA2ADgALgAyADMAMAAuADgANTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
GYEAz6XQgc/UBi/LtJh1BXTGxAyuWZY0nfkzPlv8cf2bRCMKadnM + iJ9PKv8mnpU
TgKe6 + c5zjqy + sTk6KEYVMMROY4InrykZY/7tA + dk + lqECU + fQ + bNAzLh5yPp6Ni
2KzeG1V6/tF9t7syz8UWy6Bxgvdg3gu + M9vcpZUaD3NjsnECAwEAAaOBhTCBgjAf
Bytes
RNrjCV9uSaeMw0/Fw/8wCwYDVR0PBAQDAgQwMBYGBSpWCwcBBA0xC4AJMjAxNDAx
Bytes
GYEAeKrIQ0u1cmgUz8qwW07VF1s6q + fKJf6OJnRDWshsG7ZRSJH2rZx7oohpZQJk
Bytes
4e4At2IMrUUTo + uzaiyrf1_mkpp7gyuy0lnmq2aedbu4fb0 =
----- End certificate -----
----- Begin rsa private key -----
MIICXQIBAAKBgQDPpdCBz9QGL8u0mHUFdMbEDK5ZljSd + TM + W/xx/ZtEIwpp2cz6
In08q/yaelROAp7r5znOOrL6xOTooRhUwxE5jgievKRlj/u0D52T6WoQJT59D5s0
DMuHnI + no2LYrN4bVXr + 0X23uzLPxRbLoHGC92DeC74z29yllRoPc2OycQIDAQAB
AoGBALIBDiZJ + BM5o + H0E9USj1X/HPM1fXOy7gfWKSm64wBdHY8yI7KGIGADe68d
KOmy + 3N1K6urzESGx0jY2JfJBRiKR3QW + fEL5UBhj/PC5Nj9OMxwEK0WqYlfhivx
EpPycuwKhDN7aYcGJIK/J38j4Q8G383wDev1Sl9beLRoqs + FAkEA + LtkdOVU8hfa
Xx44Tl6PxsY25LWunjuoUu6KZOWLvsAJK + CGV91oZAJk + QwXIZj8tDjPAGrcvHMM
CENwrvFWuwJBANW3GKsHELMTzJumKUXlSPDlU5xGn7H2PQOc + FaYuinK6K94E55t
E7MN6Oe + 1avOTLYlRVsv2klPUkK1DlrOxsMCQBEFmgFZ9G9A7KPXyJisZgB/biBG
WrV3dbR/OJ9hCig6siX7jpYSw + McOtbEWgzlkF2xCZGIvqRy5yYDp4GBaKMCQQDQ
0F + X7AVTE8tdYZL + KjOEvG1fSloKpg + jkiHLatqqrwl/ORHiP615y + N/W6Smg6HM
Bso/eJgN/STg7MsjytnFAkAVwZMhaoIWIocbyoA3eUQVIrUDynDMq27TDFwltvaL
IhOkwBYuzDujgOBLwY + pLg6SqphDhgP92OCg + VVqty02
----- End rsa private key -----

3. Create a configuration file

# Vi/usr/local/haproxy/conf/haproxy. cfg

Global

Log 127.0.0.1 local0

Maxconn 65535

Chroot/usr/local/haproxy

Uid 99

Gid 99

Stats socket/usr/local/haproxy/HaproxSocket level admin

Daemon

Nbproc 1

Pidfile/usr/local/haproxy. pid

# Debug

Tune. ssl. default-dh-param 2048

Ults

Log 127.0.0.1 local3

Mode http

Option httplog

Option httplog clf

Option httpclose

Option dontlognull

Option forwardfor

Option redispatch

Retries 2

Maxconn 2000

Balance source

# Balance roundrobin

Stats uri/haproxy-stats

Stats refresh 10 s

Timeout client 60 s

Timeout connect 9 s

Timeout server 30 s

Timeout check 5S

Listen TEST_APP_Cluster

Bind *: 80

Mode http

Option httpchk GET/test.html HTTP/1.0 \ r \ nHost: 192.168.10.180

Server node01 192.168.0.100: 100 weight 3 check inter 2000 rise 2 fall 1

Server node02 192.168.0.101: 100 weight 3 backup check inter 2000 rise 2 fall 1

Listen TEST_APP_SSL

Bind *: 443 ssl crt/usr/local/haproxy/conf/my-server.pem

Reqadd X-Forwarded-Proto: \ https

Mode http

Option httpchk GET/test.html HTTP/1.0 \ r \ nHost: 192.168.10.180

Server node01 192.168.0.100: 100 weight 3 check inter 2000 rise 2 fall 1

Server node02 192.168.0.101: 100 weight 3 backup check inter 2000 rise 2 fall 1

Listen stats_auth 0.0.0.0: 91

Stats enable

Stats uri/admin

Stats realm "HA_CONSOLE"

Stats auth admin: 123456

Stats hide-version

Stats refresh 10 s

Stats admin if TRUE


Start port

4. Configuration highlights

Because the certificate length is 2048, an error is reported in the default configuration file. ssl. after the default-dh-param 2048 parameter, the problem is solved. certificates in the pem format can also implement ssl functions through haproxy-1.4 + stunnel.

Haproxy + Keepalived build Weblogic high-availability server Load balancer Cluster

Keepalived + HAProxy configure high-availability Load Balancing

Haproxy + Keepalived + Apache configuration notes in CentOS 6.3

Haproxy + KeepAlived WEB Cluster on CentOS 6

Haproxy + Keepalived build high-availability Load Balancing

For details about HAproxy, click here
HAproxy: click here

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.