haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信,但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现。
1.安装haproxy请查看上一次练习题。
2.证书制作,利用centos7系统的Makefile生成自签名证书。
[root@localhost ~]# cd /etc/pki/tls/certs/
[root@localhost certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
#新建ssl目录存放证书
[root@localhost certs]# mkdir /etc/haproxy/conf.d/ssl
#为了方便,修改makefile文件,使创建私钥时不加密
[root@localhost certs]# vim Makefile
%.key:
umask 77 ; \
#/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
/usr/bin/openssl genrsa $(KEYLEN) > $@
#生成crt自签名证书文件
[root@localhost certs]# make /etc/haproxy/conf.d/ssl/www.tanliang.com.crt
umask 77 ; \
#/usr/bin/openssl genrsa -aes128 2048 > /etc/haproxy/conf.d/ssl/www.tanliang.com.key
/usr/bin/openssl genrsa 2048 > /etc/haproxy/conf.d/ssl/www.tanliang.com.key
Generating RSA private key, 2048 bit long modulus
.............................................................................................................................+++
............+++
e is 65537 (0x10001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/haproxy/conf.d/ssl/www.tanliang.com.key -x509 -days 365 -out /etc/haproxy/conf.d/ssl/www.tanliang.com.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:hubei
Organization Name (eg, company) [Default Company Ltd]:tanliang
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.tanliang.com
Email Address []:
#haproxy要用的话,需要key和crt二合一
[root@localhost certs]# cd /etc/haproxy/conf.d/ssl/
[root@localhost ssl]# ls
www.tanliang.com.crt www.tanliang.com.key
[root@localhost ssl]# cat www.tanliang.com.key www.tanliang.com.crt > www.tanliang.com.pem
3.配置haproxy
[root@localhost ssl]# cat /etc/haproxy/conf.d/tets.cfg
listen web_http_nodes
bind 10.0.0.152:80
bind 10.0.0.152:443 ssl crt /etc/haproxy/conf.d/ssl/www.tanliang.com.pem
server web1 10.0.0.150:80 check inter 2000 fall 3 rise 5
server web2 10.0.0.162:80 check inter 2000 fall 3 rise 5
#重启haproxy服务
[root@localhost ssl]# systemctl restart haproxy
#检查一下端口是否开启
[root@localhost ssl]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 10.0.0.152:443 *:*
LISTEN 0 128 *:9999 *:*
LISTEN 0 128 10.0.0.152:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
4.在后端服务器上做好网页
#在10.0.0.150和10.0.0.162两台服务器上安装httpd服务,并且写入网页内容,来做haproxy调度访问。
[root@centos8 ~]#yum install -y httpd
[root@centos8 ~]#systemctl start httpd
[root@centos8 ~]#echo 10.0.0.150 > /var/www/html/index.html
[root@centos8 ~]#curl localhost
10.0.0.150
5.访问测试
#访问haproxy服务器验证https协议访问。-k参数忽略证书检查。
[root@localhost ssl]# curl -k https://10.0.0.152
10.0.0.150
[root@localhost ssl]# curl -k https://10.0.0.152
10.0.0.162
[root@localhost ssl]# curl -k https://10.0.0.152
10.0.0.150
[root@localhost ssl]# curl -k https://10.0.0.152
10.0.0.162
6.实际用户可能不知道要用https协议,因此设置访问http自动跳转https
[root@localhost ssl]# cat /etc/haproxy/conf.d/tets.cfg
listen web_http_nodes
bind 10.0.0.152:80
bind 10.0.0.152:443 ssl crt /etc/haproxy/conf.d/ssl/www.tanliang.com.pem
redirect scheme https if !{ ssl_fc }#加上这段配置。ssl_fc是系统自带变量,意思是https协议。!号表示非,非https就scheme变成https
server web1 10.0.0.150:80 check inter 2000 fall 3 rise 5
server web2 10.0.0.162:80 check inter 2000 fall 3 rise 5
#该配置后要重启服务使配置生效
[root@localhost ssl]# systemctl restart haproxy
7.访问验证
#访问验证,-I获取头信息,302表示临时重定向
[root@localhost ssl]# curl http://10.0.0.152 -I
HTTP/1.1 302 Found
content-length: 0
location: https://10.0.0.152/
cache-control: no-cache
#-L调转到重定向后的页面,-k忽略证书检查。
[root@localhost ssl]# curl http://10.0.0.152 -Lk
10.0.0.150
[root@localhost ssl]# curl http://10.0.0.152 -Lk
10.0.0.162
#说明:工作中如果haproxy工作压力大,就不要在haproxy上使用https了。是用tcp四层转发报文会轻松一些。在后端nginx上使用https协议。优点是只用在haproxy一台上做https,不用在后端很多nginx每个nginx服务器上配置https了。因此若haproxy访问量小,可以在上面做https。访问量多就在后端做。