ROTTEN: haproxy learning https configuration, haproxyhttps

ROTTEN: haproxy learning https configuration, haproxyhttps

This article is sponsored by ilanniweb and first published onThe world

For more articles, follow my ilanniweb.

Some time ago, I wrote a few articles about learning haproxy. Today, we will introduce the https configuration of haproxy. We will not introduce the advantages of https.

We will only introduce how to configure https and the application of https in the actual production environment.

PS: All tests passed in haproxy1.5.4. The configuration parameters of haproxy1.3 and earlier haproxy versions may not be available. Note the version number.

The following haproxy configuration is directly used in the online production environment.

I. Business Requirements

According to the actual needs of the business, there are several different requirements. As follows:

1.1 httpJump to https

Redirect the addresses of all request http://http.ilanni.com to https //: http.ilanni.com.

1.2 httpCoexistence with https

The server opens the form of http://http.ilanni.com and https://http.ilanni.com access at the same time.

1.3Https and http between different domain names of the same server

All access to the http.ilanni.com domain name on the same server is directed to the https://http.ilanni.com, and access to haproxy.ilanni.com is directed to the http://haproxy.ilanni.com address.

1.4Multiple Domain names on the same server Use https

The same server uses http protocol to access http.ilanni.com and haproxy.ilanni.com.

2. Configure haproxy and test Business Requirements

Now we can configure haproxy to meet our business needs one by one.

2.1 httpRedirect https Configuration

To be honest, the https configuration of haproxy is much simpler than that of nginx. We only need to add a few lines of code to implement the https function.

The content of the haproxy configuration file for http redirect to https is as follows:

Global

Log 127.0.0.1 local0

Log 127.0.0.1 local1 notice

Maxconn 4096

Uid 188

Gid 188

Daemon

Tune. ssl. default-dh-param 2048

Ults

Log global

Mode http

Option httplog

Option dontlognull

Option http-server-close

Option forwardfor partition t 127.0.0.1

Option redispatch

Retries 3

Option redispatch

Maxconn 2000

Timeout http-request 10 s

Timeout queue 1 m

Timeout connect 10 s

Timeout client 1 m

Timeout server 1 m

Timeout http-keep-alive 10 s

Timeout check 10 s

Maxconn 3000

Listen admin_stats

Bind 0.0.0.0: 1080

Mode http

Option httplog

Maxconn 10

Stats refresh 30 s

Stats uri/stats

Stats auth admin: admin

Stats hide-version

Frontend weblb

Bind *: 80

Acl is_http hdr_beg (host) http.ilanni.com

Redirect scheme https if! {Ssl_fc}

Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem

Use_backend httpserver if is_http

Backend httpserver

Balance source

Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

Note the following options in the preceding configuration file:

Tune. ssl. default-dh-param 2048 is declared here because our SSL key uses 2048bit encryption.

Acl is_http hdr_beg (host) http.ilanni.com

Redirect scheme https if! {Ssl_fc}

Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem

These three lines indicate that all requests to access the http.ilanni.com domain name are forwarded to the https://http.ilanni.com connection.

2.2Test http redirect https

After the http jump https configuration is complete, we choose to test its jump. As follows:

You will find that in the browser, whether you enter http.ilanni.com, http://http.ilanni.com or https://http.ilanni.com, will automatically jump to the https://http.ilanni.com.

In this way, all http requests are redirected to https.

2.3 httpCoexistence with https

To achieve coexistence of http and https, haproxy is easy to configure. You only need to monitor different ports of haproxy. The configuration file is as follows:

Global

Log 127.0.0.1 local0

Log 127.0.0.1 local1 notice

Maxconn 4096

User haproxy

Group haproxy

Daemon

Tune. ssl. default-dh-param 2048

Ults

Log global

Mode http

Option httplog

Option dontlognull

Retries 3

Option redispatch

Maxconn 2000

Timeout connect 5000 ms

Timeout client 50000 ms

Timeout server 50000 ms

Listen admin_stats

Bind 0.0.0.0: 1080

Mode http

Option httplog

Maxconn 10

Stats refresh 30 s

Stats uri/stats

Stats auth admin: admin

Stats hide-version

Frontend weblb

Bind *: 80

Acl is_http hdr_beg (host) http.ilanni.com

Use_backend httpserver if is_http

Backend httpserver

Balance source

Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

Frontend weblb443

Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem

Acl is_443 hdr_beg (host) http.ilanni.com

Use_backend httpserver443 if is_443

Backend httpserver443

Balance source

Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

In the preceding configuration file, we define two front ends. One front end is used to listen to port 80, that is, the http protocol. Another frontend listens to port 443, that is, the https protocol.

At this time, haproxy will distribute requests based on the protocol requested by the client. If the client requests an http protocol, the request will be distributed to the front end of the listening port 80. If the client requests https, the request is distributed to the front-end of the listening port 443. In this way, the haproxy requires that http and https coexist.

2.4Test coexistence of http and https

After both http and https are configured, we choose to test its redirection. As follows:

Through the test you will find that in the browser if you enter a http://http.ilanni.com or http.ilanni.com will jump directly to the http://http.ilanni.com, and enter a https://http.ilanni.com, it will only jump to the https://http.ilanni.com.

As a result, our business needs to coexist with http and https.

2.5Https and http configurations for different domain names on the same server

The http and https configurations for different domain names on the same server are complex. First, you need to listen to two ports, and then distribute the requests based on different domain names.

The haproxy configuration file is as follows:

Global

Log 127.0.0.1 local0

Log 127.0.0.1 local1 notice

Maxconn 4096

Uid 188

Gid 188

Daemon

Tune. ssl. default-dh-param 2048

Ults

Log global

Mode http

Option httplog

Option dontlognull

Option http-server-close

Option forwardfor partition t 127.0.0.1

Option redispatch

Retries 3

Option redispatch

Maxconn 2000

Timeout http-request 10 s

Timeout queue 1 m

Timeout connect 10 s

Timeout client 1 m

Timeout server 1 m

Timeout http-keep-alive 10 s

Timeout check 10 s

Maxconn 3000

Listen admin_stats

Bind 0.0.0.0: 1080

Mode http

Option httplog

Maxconn 10

Stats refresh 30 s

Stats uri/stats

Stats auth admin: admin

Stats hide-version

Frontend weblb

Bind *: 80

Acl is_haproxy hdr_beg (host) haproxy.ilanni.com

Acl is_http hdr_beg (host) http.ilanni.com

Redirect prefix https://http.ilanni.com if is_http

Use_backend haproxyserver if is_haproxy

Backend haproxyserver

Balance source

Server web1 127.0.0.1: 9090 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

Frontend weblb443

Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem

Acl is_443 hdr_beg (host) http.ilanni.com

Use_backend httpserver443 if is_443

Backend httpserver443

Balance source

Server web1 127.0.0.1: 7070 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

For https and http configurations between different domain names on the same server, we have configured two frontend servers for listening to port 80 and redirection based on different domain names. In Port 80 Rules, if the client requests http.ilanni.com, the domain name, haproxy will redirect the request directly to the https://http.ilanni.com. If the domain name is haproxy.ilanni.com, it is distributed to the backend server.

Another front end is used to listen to port 443 for distributing requests from the client https://http.ilanni.com.

2.6Test the https and http configurations between different domain names of the same server

After configuring https and http for different domain names on the same server, let's test now. As follows:

Through, we can find in the browser input haproxy.ilanni.com will jump to the http://haproxy.ilanni.com address, and if the input is http.ilanni.com, or http://http.ilanni.com, will jump to the https://http.ilanni.com.

So we met our business requirements, access to haproxy.ilanni.com on the same server directly jump to port 80, if the access is http.ilanni.com domain name, then jump to the https://http.ilanni.com address.

2.7Multiple Domain names on the same server Use https Configuration

To enable the two settings of the same server to Use https for multiple domain names, the configuration is very simple. You only need to enable the respective https configuration in haproxy.

The haproxy configuration file is as follows:

Global

Log 127.0.0.1 local0

Log 127.0.0.1 local1 notice

Maxconn 4096

Uid 108

Gid 116

Daemon

Tune. ssl. default-dh-param 2048

Ults

Log global

Mode http

Option httplog

Option dontlognull

Option http-server-close

Option forwardfor partition t 127.0.0.1

Option redispatch

Retries 3

Option redispatch

Timeout http-request 10 s

Timeout queue 1 m

Timeout connect 10 s

Timeout client 1 m

Timeout server 1 m

Timeout http-keep-alive 10 s

Timeout check 10 s

Maxconn 3000

Listen admin_stats

Bind 0.0.0.0: 1080

Mode http

Option httplog

Maxconn 10

Stats refresh 30 s

Stats uri/stats

Stats auth admin: admin

Stats hide-version

Frontend web80

Bind *: 80

Acl is_http hdr_beg (host) http.ilanni.com

Redirect scheme https if! {Ssl_fc}

Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem

Acl is_haproxy hdr_beg (host) haproxy.ilanni.com

Redirect scheme https if! {Ssl_fc}

Bind *: 443 ssl crt/etc/haproxy/ilanni.com. pem

Use_backend httpserver if is_http

Use_backend haproxyserver if is_haproxy

Backend httpserver

Balance source

Server web1 127.0.0.1: 6060 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

Backend haproxyserver

Balance source

Server web1 127.0.0.1: 9090 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

The configuration file is relatively simple and will not be further explained here.

2.8Test that multiple domain names on the same server Use https

Https is used for multiple domain names on the same server. After configuration, let's test it now.

Through, we can see in the browsing whether it is input http.ilanni.com, http://http.ilanni.com, or haproxy.ilanni.com, http://haproxy.ilanni.com, will jump to the corresponding https address.

This also meets our business requirements.