Nginx
HAProxy 和 Nginx SSL 重定向問題
我有 2 個網站,
websitea.com
它們websiteb.com
託管在兩台伺服器上10.0.0.8
並10.0.0.12
用於負載均衡器,我嘗試HTTP,HTTPS
通過此配置使其與兩種協議一起使用。
HTTPS
工作正常https://websitea.com
,但即使我沒有在任何地方配置重定向,也https://websiteb.com
總是重定向到。https://websitea.com
請指出我哪裡錯了,我應該怎麼做才能解決這個問題。global ... tune.ssl.default-dh-param 2048 defaults .... listen stats :4444 ... frontend http-web bind *:80 default_backend http-in #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend http-in redirect scheme https if !{ ssl_fc } cookie SERVERID insert indirect nocache option forwardfor header X-Real-IP option http-server-close option httplog balance roundrobin server web01 10.0.0.8:80 check server web02 10.0.0.12:80 check frontend https-web bind *:443 ssl crt /etc/haproxy/ssl/websitea.pem crt /etc/haproxy/ssl/websiteb.pem mode http default_backend https-in backend https-in mode http balance roundrobin stick-table type ip size 200k expire 30m stick on src default-server inter 1s server web01 10.0.0.8:443 check ssl verify none server web02 10.0.0.12:443 check ssl verify none
網站a.conf
這是我的 NGINX
websitea.conf
伺服器10.0.0.8
。在伺服器10.0.0.12
中,主要區別僅在於 IP 地址。server { listen 10.0.0.8:443 ssl http2; server_name websitea.com; # SSL ssl_certificate /etc/nginx/ssl/websitea-bundle-full.crt; ssl_certificate_key /etc/nginx/ssl/websitea-private.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # Improve HTTPS performance with session resumption ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; # DH parameters ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Enable HSTS add_header Strict-Transport-Security "max-age=31536000" always; access_log /var/log/nginx/websitea.access.log main_ext; error_log /var/log/nginx/websitea.errors.log warn; .... }
網站b.conf
server { listen 10.0.0.8:443 ssl http2; server_name websiteb.com; # SSL ssl_certificate /etc/nginx/ssl/websiteb-bundle-full.crt; ssl_certificate_key /etc/nginx/ssl/websiteb-private.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # Improve HTTPS performance with session resumption ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; # DH parameters ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Enable HSTS add_header Strict-Transport-Security "max-age=31536000" always; access_log /var/log/nginx/websitea.access.log main_ext; error_log /var/log/nginx/websitea.errors.log warn; .... }
解決了,主要問題是我連續兩次定義證書。證書不應在 Nginx 配置中定義,而它已經存在於 Haproxy 配置中。
對於與 websiteb => websitea 相關的重定向,我看不出真正的原因。請檢查:
- 正確的證書:真的是內容錯誤還是只是證書?如果僅證書檢查與載入證書相關的 haproxy 日誌,還可以直接檢查證書 - CN、SubjectAlternativeName、Validity ;以及帶有證書的文件的權限
- content :如果內容錯誤,我希望重定向來自後端/伺服器。在這種情況下,請檢查 nginx 配置(在問題中減少了),因為我猜 haproxy 沒有實現重定向。
正如我已經在評論中寫的那樣,有一個空間可以讓它在相同的行為下更小一點。特別是
redirect scheme https if !{ ssl_fc }
導致從 http 到 https 的重定向(確切地說,它表示重定向到 https,以防它不安全/不是 https - SSL 或 TLS)。當您在後端為 http 執行此操作時,不需要“跳轉”到後端,因為這可以直接在前端完成。在它旁邊,您可以擁有一個具有更多
bind
選項的前端,這樣您就可以擁有一個進行定義並強制使用 https 的前端。我沒有檢查你所有的選項以及你在那裡使用的原因我只是“調整”了必要的東西來組合它:
- 在一個前端同時使用 http/https
bind :*80 bind *:443 ssl crt /etc/hapr...
- 從所選文件夾載入所有證書(您不需要列出所有證書)
... ssl crt /etc/haproxy/ssl/ ...
- 至少有一點安全(一旦公開可用,您可以使用ssllabs網頁檢查設置)
... no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- 強制所有流量得到保護
redirect scheme https if !{ ssl_fc }
您進行必要更改的配置可能是:
global ... tune.ssl.default-dh-param 2048 defaults .... listen stats :4444 ... frontend web mode http bind *:80 bind *:443 ssl crt /etc/haproxy/ssl/ no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS redirect scheme https if !{ ssl_fc } default_backend https-in backend https-in mode http balance roundrobin stick-table type ip size 200k expire 30m stick on src default-server inter 1s server web01 10.0.0.8:443 check ssl verify none server web02 10.0.0.12:443 check ssl verify none
不需要其他前端或後端。