Https

升級到 2.2 版時 haproxy 不工作(reqadd 不再存在)

  • February 18, 2022

$$ I erronously had posted this question on stackoverflow $$ 在我的 debian buster 伺服器上,我有一個完美執行的 haproxy (v1.8),我用它來管理我的網站的證書。

haproxy 監聽 443 埠,並將請求傳遞給 varnish+apache 系統。

升級到 debian Bullseye 時,haproxy (v2.2) 服務不再啟動,並且日誌顯示:

haproxy[46308]: [ALERT] 048/004148 (46308) : parsing [/etc/haproxy/haproxy.cfg:46] : The 'reqadd' directive is not supported anymore since HAProxy 2.1. Use 'http-r
equest add-header' instead.

負責此行為的 haproxy.cfg 行是

frontend https
# Bind 443 with the generated letsencrypt cert.
       bind *:443 ssl crt /etc/letsencrypt/live/qumran2/haproxy.pem
       # set x-forward to https
       reqadd X-Forwarded-Proto:\ https                  <-----------|
       # set X-SSL in case of ssl_fc <- explained below
       http-request set-header X-SSL %[ssl_fc]
       # Select a Challenge
       acl letsencrypt-acl path_beg /.well-known/acme-challenge/
       # Use the challenge backend if the challenge is set
       default_backend www-backend

我知道我必須換reqadd X-Forwarded-Proto:\ https行,但是怎麼做?

文件說:

http-request add-header <name> <fmt> [ { if | unless } <condition> ]
This appends an HTTP header field whose name is specified in <name> and
whose value is defined by <fmt> which follows the log-format rules (see
Custom Log Format in section 8.2.4). This is particularly useful to pass
connection-specific information to the server (e.g. the client's SSL
certificate), or to combine several headers into one. This rule is not
final, so it is possible to add other similar rules. Note that header
addition is performed immediately, so one rule might reuse the resulting
header from a previous rule.

我不明白我應該如何寫等價的http-request add-header……

我認為您可以使用:

http-request set-header X-Forwarded-Proto https

正如這裡所討論的:

https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy

引用自:https://serverfault.com/questions/1094044