时间戳

首页 > 解决方案 > HAproxy 在 TCP 模式下给出 PR_END_OF_FILE_ERROR

ssl - HAproxy 在 TCP 模式下给出 PR_END_OF_FILE_ERROR

问题描述

我在 tcp 模式下配置 HAproxy 以将 SSL 连接转发到我的后端时遇到问题。

这是我的 haproxy 配置:

global
  maxconn 10000
  user haproxy
  group haproxy

defaults
  timeout connect 10s
  timeout client 30s
  timeout server 30s
  log global
  mode tcp
  maxconn 3000

backend lamacorp_ynh_web
  mode tcp
  balance roundrobin
  server lamacorp_ynh 172.20.20.2:443

backend lamacorp_ynh
  mode tcp
  balance roundrobin
  server lamacorp_ynh 172.20.20.2

backend duck
  mode tcp
  balance roundrobin
  server duck 127.0.0.1

frontend www
  mode tcp
  option tcplog

  bind 200.200.200.200:80
  bind 200.200.200.200:443

  acl lamacorp_www1 hdr(host) -i domain.com
  acl lamacorp_www2 hdr(host) -i www.domain.com

  acl lamacorp_hub hdr(host) -i hub.domain.com
  acl lamacorp_chat hdr(host) -i chat.domain.com
  acl lamacorp_cloud hdr(host) -i cloud.domain.com
  acl lamacorp_git hdr(host) -i git.domain.com
  acl lamacorp_mail hdr(host) -i mail.domain.com
  acl lamacorp_apps hdr(host) -i apps.domain.com

  acl risson_www1 hdr(host) -i domain2.com
  acl risson_www2 hdr(host) -i www.domain2.com


  use_backend duck if lamacorp_www1
  use_backend duck if lamacorp_www2

  use_backend lamacorp_ynh_web if lamacorp_hub
  use_backend lamacorp_ynh_web if lamacorp_chat
  use_backend lamacorp_ynh_web if lamacorp_cloud
  use_backend lamacorp_ynh_web if lamacorp_git
  use_backend lamacorp_ynh_web if lamacorp_mail
  use_backend lamacorp_ynh_web if lamacorp_apps

  use_backend duck if risson_www1
  use_backend duck if risson_www2

frontend mail
  mode tcp
  option tcplog

  bind 200.200.200.200:25
  bind 200.200.200.200:587
  bind 200.200.200.200:993

  default_backend lamacorp_ynh

curl -vvvkL https://172.20.20.2:443从 HAproxy 后面给出一个正确的答案(就像curl另一个后端一样)。两个后端都使用自签名证书。

但是,curl -vvvkL https://200.200.200.200:443给出:

* TCP_NODELAY set
* Connected to domain.com (200.200.200.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to domain.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to domain.com443

curl -vvvkL http://hub.lama-corp.space:80给出:

* TCP_NODELAY set
* Connected to hub.lama-corp.space (200.200.200.200) port 80 (#0)
> GET / HTTP/1.1
> Host: domain.com
> User-Agent: curl/7.65.3
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host domain.com left intact
curl: (52) Empty reply from server

邮件转发似乎工作正常。SSL 终止预计将由后端完成。也欢迎任何重构该配置的提示。

提前致谢,

标签: sslhaproxy

解决方案

推荐阅读