ssl - HAProxy 443 在 SSL 握手期间出现连接错误
问题描述
我最近设置了一个 haproxy 来路由到多个后端。我有一个 443 和 4443 的前端,具有相同的配置并指向相同的后端。但是,我无法连接到 443。
HAProxy 配置
frontend main_web
bind *:4443 ssl crt /etc/ssl/web.net.pem
log-format "%ci:%cp\ [%tr]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r"
timeout client 60000
option logasap
option httplog
log global
mode http
default_backend app-webserver
frontend main_https
bind *:443 ssl crt /etc/ssl/web.net.pem
log-format "%ci:%cp\ [%tr]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r"
timeout client 60000
option logasap
option httplog
log global
mode http
default_backend app-webserver
haproxy -vv
HA-Proxy version 2.0.13 2020/02/13 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_OPENSSL=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built without PCRE or PCRE2 support (using libc's regex instead)
Encrypted password support via crypt(3): yes
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
openssl s_client -connect web.net:443 -servername web.net
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1589722937
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
openssl s_client -connect web.net:4443 -servername web.net
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
verify return:1
depth=0 CN = web.net
verify return:1
---
Certificate chain
0 s:/CN=web.net
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFmjCCBIKgAwIBAgIQD3fKJWSyq1Az+UBaqwMxdjANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwNTA2MDAwMDAwWhcNMjEwNTA2MTIwMDAwWjAZ
MRcwFQYDVQQDEw5vbmVjaGF0Lm5ldC5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJsCvmMYYkU+g9D4VsD+9x3uP48cThL5g6JyLfEQJuXlSuU9phej
...
-----END CERTIFICATE-----
subject=/CN=web.net
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4263 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 54BDC38DCD0A9279A171928B2D2808D87DAF54E1043D478F19F416DBD6ADBA10
Session-ID-ctx:
Master-Key: BFF1322A89D44278761C283D083D6307C71A557A0FF299B158DBA4C69E7F81E87958CBAF6E5DEAB36D0799FAFD3D784F
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 36 ba 3e 06 ae 02 86 d2-fa 6c df e9 74 5c 63 2a 6.>......l..t\c*
0010 - 73 49 1d 4e 0f 3c a5 29-46 e5 9b 1c ec 6f b8 f5 sI.N.<.)F....o..
0020 - f9 96 2e bf 2c 03 d1 b2-d0 23 32 cf 54 f3 4f 6d ....,....#2.T.Om
Start Time: 1589723432
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
我真的很迷茫。我也通过设置mode tcp
HAProxy 尝试了 SSL 直通,但这也没有帮助。
任何见解都会很棒!谢谢你。
解决方案
推荐阅读
- jvm - org.apache.coyote.RequestInfo 无法回收,内存中发现大量实例
- c# - 更改服务。AddScoped
(); 到 services.AddTransient(); 因为没有 dispose 方法? - postgresql - 如何从 amq 代理 redhat 路由或消费到 postgresql?
- c - 共享内存中的 POSIX 未命名信号量未响应发布或等待
- java - 绕过java中静态方法的早期绑定
- docker - 在 docker-compose 中添加默认外部网络
- python - 哪一种是比较 Python 中数字的更好方法?为什么?
- c# - 从一个 WinForm 文本框获取值到一个类
- common-lisp - lisp函数中的未绑定变量,我不知道为什么
- hyperledger-sawtooth - 协议消息包含无效的 UTF-8