Amazon-Web-Services

503 ALB 健康檢查 HAProxy

  • April 26, 2018

我在 Amazon ALB(應用程序負載均衡器)後面有一個 HAProxy,http/80 執行狀況檢查正常,但 https/443 給了我 503,即使該站點可用且正常

這是我在 HAProxy 日誌中看到的內容:

4/26/2018 3:19:47 AMApr 26 00:19:47 localhost haproxy[4494]: 172.30.139.183:31696 [26/Apr/2018:00:19:47.961] 443~ 443/<NOSRV> -1/-1/-1/-1/4 503 213 - - SC-- 2/0/0/0/0 0/0 "GET / HTTP/1.1"

這是我的 HAProxy 配置:

global
     ssl-default-bind-options no-sslv3
     log 10.42.74.144:5000 local0
     log 127.0.0.1:8514 local0
   chroot /var/lib/haproxy
   daemon
   group haproxy
   maxconn 4096
   maxpipes 1024
   ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
   ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
   stats socket /var/run/haproxy.sock mode 600 level admin
   stats timeout 2m
   user haproxy

defaults
     log global
     option httplog
     mode http
     timeout connect 5000
     timeout server 160000
     timeout client 160000
     option httpclose
     option forceclose
   errorfile 400 /etc/haproxy/errors/400.http
   errorfile 403 /etc/haproxy/errors/403.http
   errorfile 408 /etc/haproxy/errors/408.http
   errorfile 500 /etc/haproxy/errors/500.http
   errorfile 502 /etc/haproxy/errors/502.http
   errorfile 503 /etc/haproxy/errors/503.http
   errorfile 504 /etc/haproxy/errors/504.http
   maxconn 4096
   option forwardfor
   option http-server-close
   option redispatch
   retries 3

resolvers rancher
nameserver dnsmasq 169.254.169.250:53

listen default
bind *:42

frontend 9765
bind *:9765 ssl crt /etc/haproxy/certs/current/example.com.pem ssl crt /etc/haproxy/certs/current
mode http
acl 9765_test_example_com__host hdr(host) -i test.example.com
acl 9765_test_example_com__host hdr(host) -i test.example.com:9765
use_backend 9765_test_example_com_ if 9765_test_example_com__host
frontend 80
bind *:80
mode http
default_backend 80_
frontend 5600
bind *:5600 ssl crt /etc/haproxy/certs/current/example.com.pem ssl crt /etc/haproxy/certs/current
mode http
acl 5600_elk_test_example_com__host hdr(host) -i elk.test.example.com
acl 5600_elk_test_example_com__host hdr(host) -i elk.test.example.com:5600
use_backend 5600_elk_test_example_com_ if 5600_elk_test_example_com__host
frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current/example.com.pem ssl crt /etc/haproxy/certs/current
     http-request set-src hdr(x-forwarded-for)
     http-request set-src hdr(x-real-ip)
mode http
acl 443_xyz_test_example_com_api_v3_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_api_v3_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_api_v3_path path_beg -i /api/v3
use_backend 443_xyz_test_example_com_api_v3 if 443_xyz_test_example_com_api_v3_host 443_xyz_test_example_com_api_v3_path
acl 443_xyz_test_example_com_demo_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_demo_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_demo_path path_beg -i /demo
use_backend 443_xyz_test_example_com_demo if 443_xyz_test_example_com_demo_host 443_xyz_test_example_com_demo_path
acl 443_xyz_test_example_com_guard_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_guard_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_guard_path path_beg -i /guard
use_backend 443_xyz_test_example_com_guard if 443_xyz_test_example_com_guard_host 443_xyz_test_example_com_guard_path
acl 443_xyz_test_example_com_docs_host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com_docs_host hdr(host) -i xyz.test.example.com:443
acl 443_xyz_test_example_com_docs_path path_beg -i /docs
use_backend 443_xyz_test_example_com_docs if 443_xyz_test_example_com_docs_host 443_xyz_test_example_com_docs_path
acl 443_xyz_test_example_com__host hdr(host) -i xyz.test.example.com
acl 443_xyz_test_example_com__host hdr(host) -i xyz.test.example.com:443
use_backend 443_xyz_test_example_com_ if 443_xyz_test_example_com__host
acl 443_abc_test_example_com_settings_host hdr(host) -i abc.test.example.com
acl 443_abc_test_example_com_settings_host hdr(host) -i abc.test.example.com:443
acl 443_abc_test_example_com_settings_path path_beg -i /settings
use_backend 443_abc_test_example_com_settings if 443_abc_test_example_com_settings_host 443_abc_test_example_com_settings_path
acl 443_abc_test_example_com__host hdr(host) -i abc.test.example.com
acl 443_abc_test_example_com__host hdr(host) -i abc.test.example.com:443
use_backend 443_abc_test_example_com_ if 443_abc_test_example_com__host
acl 443_mb_test_example_com__host hdr(host) -i mb.test.example.com
acl 443_mb_test_example_com__host hdr(host) -i mb.test.example.com:443
use_backend 443_mb_test_example_com_ if 443_mb_test_example_com__host
acl 443_fgh_test_example_com__host hdr(host) -i fgh.test.example.com
acl 443_fgh_test_example_com__host hdr(host) -i fgh.test.example.com:443
use_backend 443_fgh_test_example_com_ if 443_fgh_test_example_com__host
acl 443_test_example_com__host hdr(host) -i test.example.com
acl 443_test_example_com__host hdr(host) -i test.example.com:443
use_backend 443_test_example_com_ if 443_test_example_com__host
acl 443_www_test_example_com__host hdr(host) -i www.test.example.com
acl 443_www_test_example_com__host hdr(host) -i www.test.example.com:443
use_backend 443_www_test_example_com_ if 443_www_test_example_com__host

backend 9765_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server c0abff8ff53e7eb0c2871da1d52fc51d0efc5065 10.42.31.29:80  cookie c0abff8ff53e7eb0c2871da1d52fc51d0efc5065

backend 80_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server 4492af01cd1d23a2c4e3d9243cb4e50d09162edf 10.42.55.231:80  cookie 2dd1d23a291dfc49201c2e4afb4e50d033ce6449

backend 5600_elk_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   timeout check 2000
   cookie idsession insert domain test.example.com
mode http
server 23ff4a32aec3cafa9d1fdc8a6591cfc83c8b45cd 10.42.211.19:5600  check port 5600 inter 2000 rise 2 fall 3 cookie 23ff4a32aec3cafa9d1fdc8a6591cfc83c8b45cd

backend 443_xyz_test_example_com_api_v3
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server 5f9f2d6d447d598916598880d9389e0170e7e3aa 10.42.68.211:3000  cookie 5f9f2d6d447d598916598880d9389e0170e7e3aa

backend 443_xyz_test_example_com_demo
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server fa74d3cf56e66212ec875e0b92c2b670fb99754f 10.42.0.89:80  cookie fa74d3cf56e66212ec875e0b92c2b670fb99754f

backend 443_xyz_test_example_com_guard
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   timeout check 60000
   option httpchk GET "/guard/health" "HTTP/1.1\r\nHost: xyz.test.example.com"
   cookie idsession insert domain test.example.com
mode http
server e0c95be63cd81c7671748b7ff8d96e86e3d0b0a8 10.42.208.41:80  check port 80 inter 2000 rise 2 fall 3 cookie e0c95be63cd81c7671748b7ff8d96e86e3d0b0a8

backend 443_xyz_test_example_com_docs
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server b40feb86b28112d96aa8af75544dfea594ef32c1 10.42.21.153:80  cookie b40feb86b28112d96aa8af75544dfea594ef32c1

backend 443_xyz_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   timeout check 60000
   option httpchk GET "/health" "HTTP/1.1\r\nHost: xyz.test.example.com"
   cookie idsession insert domain test.example.com
mode http
server 002c117a2eab4ec0accf6343fc48c16896f301f3 10.42.5.159:80  check port 80 inter 2000 rise 2 fall 3 cookie 002c117a2eab4ec0accf6343fc48c16896f301f3

backend 443_abc_test_example_com_settings
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   timeout check 60000
   option httpchk GET "/settings/health" "HTTP/1.1\r\nHost: abc.test.example.com"
   cookie idsession insert domain test.example.com
mode http
server c702bff8af5259921616ccaab19cf87b78490fbc 10.42.84.238:80  check port 80 inter 2000 rise 2 fall 3 cookie c702bff8af5259921616ccaab19cf87b78490fbc

backend 443_abc_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   timeout check 60000
   option httpchk GET "/health" "HTTP/1.1\r\nHost: abc.test.example.com"
   cookie idsession insert domain test.example.com
mode http
server 871fdd922c10878663616084dca6df63574c0103 10.42.249.170:80  check port 80 inter 2000 rise 2 fall 3 cookie 871fdd922c10878663616084dca6df63574c0103

backend 443_mb_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server 928e481473de26ee572194a9885ed29281cc50ca 10.42.223.173:8080  cookie 928e481473de26ee572194a9885ed29281cc50ca

backend 443_fgh_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   timeout check 60000
   option httpchk GET "/health" "HTTP/1.1\r\nHost: fgh.test.example.com"
   cookie idsession insert domain test.example.com
mode http
server 6d9f03cdd2515fbe025d0d688d043e34ec45ffcc 10.42.248.45:80  check port 80 inter 2000 rise 2 fall 3 cookie 6d9f03cdd2515fbe025d0d688d043e34ec45ffcc

backend 443_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e 10.42.137.206:80  cookie 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e

backend 443_www_test_example_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
   http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
   http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
   cookie idsession insert domain test.example.com
mode http
server 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e 10.42.137.206:80  cookie 1ea4383c9540dfd7b8e913fbf26f86aeee952c3e

謝謝!

您需要default_backend為您的frontend 443

引用自:https://serverfault.com/questions/909495