haproxy - HAProxy 后端第 7 层无效响应
问题描述
我正在尝试使用 HAProxy 对两台服务器进行负载平衡,v1.8
但在我的情况下,后端是域名而不是 IP 地址。
我的 HAProxy 配置如下所示:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
pidfile /var/run/rh-haproxy18-haproxy.pid
user haproxy
group haproxy
daemon
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
spread-checks 21
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 10000
balance roundrobin
frontend https-443
bind *:443
mode http
option httplog
acl ACL_global.domain.com hdr(host) -i global.domain.com
use_backend www-443-app if ACL_global.domain.com
backend www-443-app
balance roundrobin
mode http
option httpchk GET /health
option forwardfor
http-check expect status 200
server backendnode1 app1.domain.com:443 check
server backendnode2 app2.domain.com:443 check
frontend health-443
bind *:8443
acl backend_dead nbsrv(www-443-app) lt 1
monitor-uri /haproxy_status
monitor fail if backend_dead
listen stats # Define a listen section called "stats"
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth haproxy:passwd # Authentication credentials
但是,健康检查没有通过。当我检查统计页面时,它说:Layer7 invalid response
。
我检查了我是否可以从我的 HAProxy 服务器连接到后端域,并且我能够成功地这样做。
curl -X GET -I https://app1.domain.com/health
HTTP/2 200
cache-control: no-cache, private, max-age=0
content-type: application/json
expires: Thu, 01 Jan 1970 00:00:00 UTC
pragma: no-cache
x-accel-expires: 0
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
date: Wed, 28 Jul 2021 12:05:09 GMT
content-length: 18
x-envoy-upstream-service-time: 0
endpoint: health
version: 1.0.0
server: istio-envoy
我的配置中是否缺少某些内容或需要更改某些内容才能使其正常工作?
解决方案
您缺少行的ssl
关键字server
。您可能还想设置sni
backend foo
default-server ssl check verify none
server backendnode1 app1.domain.com:443 sni str('app1.domain.com')
server backendnode2 app2.domain.com:443 sni str('app2.domain.com')
您还应该决定是否要验证后端服务器的 SSL 证书。你能相信这种联系吗?是你的网络吗?Haproxy 鼓励您进行验证,但需要提供 CA 证书供他们验证。如果您验证证书,您还可以添加verifyhost
和设置:check-sni
backend foo
default-server ssl check verify required
server backendnode1 app1.domain.com:443 sni str('app1.domain.com') check-sni 'app1.domain.com' verifyhost 'app1.domain.com' ca-file /path/to/CA1.pem
server backendnode2 app2.domain.com:443 sni str('app2.domain.com') check-sni 'app2.domain.com' verifyhost 'app2.domain.com' ca-file /path/to/CA2.pem
推荐阅读
- angular - 如何使用 jasmine 为注销服务正确编写单元测试?
- sql - Postgres - 计数跨更多表
- python - 施工后坚持 GradientTape
- azure-active-directory - 请求访问令牌 MS Graph 时的 Invalid_grant
- php - 如何通过 COM 类将 PPTX 转换为 PDF?
- javascript - 如何设置默认元素位置 AnimeJs/ Scollmagic
- spring - Spring-MVC Thymeleaf 不提交
- android - 在 React-Native android 中使用自签名证书请求 https 服务器失败
- makefile - GNU为多个输入文件制定规则?
- json - 如何在 Angular 中读取文件之前检查文件是否存在?