yum install haproxy
yum install -y openssl openssl-devel readline-devel pcre-devel libssl-dev libpcre3
haproxy -vv //查看haproxy是否支持SSL 如果有红色部分则显示为支持
haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.
|
[root@dlp ~]# cd /etc/pki/tls/certs [root@dlp certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/haproxy.pem -out /etc/pki/tls/certs/haproxy.pem -days 365 [root@dlp certs]# chmod 600 haproxy.pem |
生成私钥和证书一块的文件haproxy.pem文件
然后就可以haproxy的配置文件中对ssl进行调用了
在glob中加入 tune.ssl.default-dh-param 2048
在前端加入
如: bind *:443 ssl crt /etc/ssl/certs/servername.pem
如果保留80,同时支持443 ssl,后面指定证书文件
redirect scheme https if !{ ssl_fc }
这一行是仅支持ssl,效果是:访问80端口是自动跳转到443的ss
如果想全局使用的话,可以把这句话添加到frontend下