HAProxy implementation of HTTPS access

1 overview

Enabling HTTPS will greatly reduce the performance of the server, and enabling HTTPS on the Web server will be more stressful if the backend server is stressed or not performing enough, but for security reasons, enabling HTTPS will be critical. Therefore, there is a compromise method, when the user arrives Haproxy here access is in the public network environment, access through HTTPS, and from the Haproxy to the backend server belongs to the enterprise LAN, we think is relatively safe, So by Haprxoy the redirect on the server, all requests for client access are converted to HTTPS, while the HTTPS request is converted to http Request to access the back-end server.

2 Configuring HAProxy to support HTTPS protocol

2.1 generate a certificate file by self-signature

The certificate file is PEM format, requires the private key and certificate files together, self-signed to generate a certificate file, implemented with the following command, configuredon HA,RS does not have to generate a certificate file, the backend go HTTP protocol

Cd/etc/pki/tls/certs/make/etc/haproxy/haproxy.pem

#以上命令将生成私钥和证书文件都放在一起pem文件, and placed directly under the/etc/haproxy/path.

if the CA request the certificate file, you need to use the following command to package the certificate and the private key into a copy

Cat Haproxy.crthaproxy.key > Haproxy.pem

2.2 support for SSL sessions

Specify the path to the certificate file and redirect 80 ports to 443 ports

Binding port Format

Bind *:443 SSL Crt/path/to/some_pem_file

Example

Bind *:80bind *:443 SSL crt/etc/haproxy/haproxy.pemredirect scheme HTTPS if! {SSL_FC}

redirect when accessing the port automatically jumps to 443

2.3 Log Record

the back-end log passes the protocol and port requested by the user ( frontend or Backend ), which makes it easy to view the port number that the user accesses, not the required configuration. The following two methods two select one

Http-request set-header x-forwarded-port%[dst_port]http-request add-header x-forwared-proto https if {SSL_FC}

 set-header setting means overwriting the original information if it exists, x-forwarded-port is the format of the custom name here is set according to the source port, if the source port is 443, add as 443, when Span style= "Font-size:14px;font-family:calibri, Sans-serif;" >ha ha access backstage rs

Add-header regardless of the original format, all add up, X-forwared-proto is the name of the format , is a Log define the name that needs to be called, Log plus go to the content for HTTPS

RS definition Log

Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "\"%{x-forwared-proto} i\ "combined

This article is from the "Sunshine Ops" blog, please be sure to keep this source http://ghbsunny.blog.51cto.com/7759574/1978999

HAProxy implementation of HTTPS access