时间戳

首页 > 解决方案 > HAProxy 后端第 7 层无效响应

haproxy - HAProxy 后端第 7 层无效响应

问题描述

我正在尝试使用 HAProxy 对两台服务器进行负载平衡,v1.8但在我的情况下,后端是域名而不是 IP 地址。

我的 HAProxy 配置如下所示:

global
    log         /dev/log    local0
    log         /dev/log    local1 notice
    chroot      /var/lib/haproxy
    pidfile     /var/run/rh-haproxy18-haproxy.pid

    user        haproxy
    group       haproxy
    daemon
    stats       socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners

    spread-checks  21

    # Default SSL material locations
    ca-base     /etc/ssl/certs
    crt-base    /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option                  redispatch
    retries                 3

    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 10000
    balance                 roundrobin


frontend https-443
        bind *:443
        mode http
        option httplog
        acl ACL_global.domain.com hdr(host) -i global.domain.com
        use_backend www-443-app if ACL_global.domain.com

backend www-443-app
        balance roundrobin
        mode http
        option httpchk GET /health
        option forwardfor
        http-check expect status 200
        server backendnode1 app1.domain.com:443 check
        server backendnode2 app2.domain.com:443 check

frontend health-443
    bind *:8443
    acl backend_dead nbsrv(www-443-app) lt 1
    monitor-uri /haproxy_status
    monitor fail if backend_dead

listen stats # Define a listen section called "stats"
    bind :9000 # Listen on localhost:9000
    mode http
    stats enable  # Enable stats page
    stats hide-version  # Hide HAProxy version
    stats realm Haproxy\ Statistics  # Title text for popup window
    stats uri /haproxy_stats  # Stats URI
    stats auth haproxy:passwd  # Authentication credentials

但是,健康检查没有通过。当我检查统计页面时,它说:Layer7 invalid response

我检查了我是否可以从我的 HAProxy 服务器连接到后端域,并且我能够成功地这样做。

curl -X GET -I https://app1.domain.com/health
HTTP/2 200 
cache-control: no-cache, private, max-age=0
content-type: application/json
expires: Thu, 01 Jan 1970 00:00:00 UTC
pragma: no-cache
x-accel-expires: 0
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
date: Wed, 28 Jul 2021 12:05:09 GMT
content-length: 18
x-envoy-upstream-service-time: 0
endpoint: health
version: 1.0.0
server: istio-envoy

我的配置中是否缺少某些内容或需要更改某些内容才能使其正常工作?

标签: haproxy

解决方案

您缺少行的ssl关键字server。您可能还想设置sni

backend foo
    default-server ssl check verify none
    server backendnode1 app1.domain.com:443 sni str('app1.domain.com')
    server backendnode2 app2.domain.com:443 sni str('app2.domain.com')

您还应该决定是否要验证后端服务器的 SSL 证书。你能相信这种联系吗?是你的网络吗?Haproxy 鼓励您进行验证,但需要提供 CA 证书供他们验证。如果您验证证书,您还可以添加verifyhost和设置:check-sni

backend foo
    default-server ssl check verify required 
    server backendnode1 app1.domain.com:443 sni str('app1.domain.com') check-sni 'app1.domain.com' verifyhost 'app1.domain.com' ca-file /path/to/CA1.pem
    server backendnode2 app2.domain.com:443 sni str('app2.domain.com') check-sni 'app2.domain.com' verifyhost 'app2.domain.com' ca-file /path/to/CA2.pem

推荐阅读