Nginx

HAProxy 和 Nginx SSL 重定向問題

  • December 8, 2018

我有 2 個網站,websitea.com它們websiteb.com託管在兩台伺服器上10.0.0.810.0.0.12用於負載均衡器,我嘗試HTTP,HTTPS通過此配置使其與兩種協議一起使用。

HTTPS工作正常https://websitea.com,但即使我沒有在任何地方配置重定向,也https://websiteb.com總是重定向到。https://websitea.com請指出我哪裡錯了,我應該怎麼做才能解決這個問題。

global
   ...
   tune.ssl.default-dh-param 2048

defaults
   ....

listen stats :4444
   ...

frontend http-web
   bind *:80
   default_backend     http-in

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend http-in
   redirect scheme https if !{ ssl_fc }
   cookie      SERVERID insert indirect nocache
   option      forwardfor header X-Real-IP
   option      http-server-close
   option      httplog
   balance     roundrobin
   server      web01 10.0.0.8:80 check
   server      web02 10.0.0.12:80 check

frontend https-web
   bind *:443 ssl crt /etc/haproxy/ssl/websitea.pem crt /etc/haproxy/ssl/websiteb.pem
   mode http
   default_backend https-in

backend https-in
   mode http
   balance roundrobin
   stick-table type ip size 200k expire 30m
   stick on src
   default-server inter 1s
   server  web01 10.0.0.8:443 check ssl verify none
   server  web02 10.0.0.12:443 check ssl verify none

網站a.conf

這是我的 NGINXwebsitea.conf伺服器10.0.0.8。在伺服器10.0.0.12中,主要區別僅在於 IP 地址。

server {
       listen   10.0.0.8:443 ssl http2;

       server_name websitea.com;

       # SSL
       ssl_certificate /etc/nginx/ssl/websitea-bundle-full.crt;
       ssl_certificate_key /etc/nginx/ssl/websitea-private.key;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

       # Improve HTTPS performance with session resumption
       ssl_session_cache shared:SSL:50m;
       ssl_session_timeout 1d;

       # DH parameters
       ssl_dhparam /etc/nginx/ssl/dhparam.pem;

       # Enable HSTS
       add_header Strict-Transport-Security "max-age=31536000" always;    


       access_log /var/log/nginx/websitea.access.log main_ext;
       error_log /var/log/nginx/websitea.errors.log warn;

       ....
   }

網站b.conf

server {
       listen   10.0.0.8:443 ssl http2;

       server_name websiteb.com;

       # SSL
       ssl_certificate /etc/nginx/ssl/websiteb-bundle-full.crt;
       ssl_certificate_key /etc/nginx/ssl/websiteb-private.key;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

       # Improve HTTPS performance with session resumption
       ssl_session_cache shared:SSL:50m;
       ssl_session_timeout 1d;

       # DH parameters
       ssl_dhparam /etc/nginx/ssl/dhparam.pem;

       # Enable HSTS
       add_header Strict-Transport-Security "max-age=31536000" always;    


       access_log /var/log/nginx/websitea.access.log main_ext;
       error_log /var/log/nginx/websitea.errors.log warn;

       ....
   }

解決了,主要問題是我連續兩次定義證書。證書不應在 Nginx 配置中定義,而它已經存在於 Haproxy 配置中。

對於與 websiteb => websitea 相關的重定向,我看不出真正的原因。請檢查:

  • 正確的證書:真的是內容錯誤還是只是證書?如果僅證書檢查與載入證書相關的 haproxy 日誌,還可以直接檢查證書 - CN、SubjectAlternativeName、Validity ;以及帶有證書的文件的權限
  • content :如果內容錯誤,我希望重定向來自後端/伺服器。在這種情況下,請檢查 nginx 配置(在問題中減少了),因為我猜 haproxy 沒有實現重定向。

正如我已經在評論中寫的那樣,有一個空間可以讓它在相同的行為下更小一點。特別是redirect scheme https if !{ ssl_fc }導致從 http 到 https 的重定向(確切地說,它表示重定向到 https,以防它不安全/不是 https - SSL 或 TLS)。當您在後端為 http 執行此操作時,不需要“跳轉”到後端,因為這可以直接在前端完成。

在它旁邊,您可以擁有一個具有更多bind選項的前端,這樣您就可以擁有一個進行定義並強制使用 https 的前端。我沒有檢查你所有的選項以及你在那裡使用的原因我只是“調整”了必要的東西來組合它:

  • 在一個前端同時使用 http/https
bind :*80
bind *:443 ssl crt /etc/hapr...
  • 從所選文件夾載入所有證書(您不需要列出所有證書)
... ssl crt /etc/haproxy/ssl/ ...
  • 至少有一點安全(一旦公開可用,您可以使用ssllabs網頁檢查設置)
... no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  • 強制所有流量得到保護
redirect scheme https if !{ ssl_fc }

您進行必要更改的配置可能是:

global
   ...
   tune.ssl.default-dh-param 2048

defaults
   ....

listen stats :4444
   ...

frontend web
   mode http
   bind *:80
   bind *:443 ssl crt /etc/haproxy/ssl/ no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
   redirect scheme https if !{ ssl_fc }
   default_backend https-in

backend https-in
   mode http
   balance roundrobin
   stick-table type ip size 200k expire 30m
   stick on src
   default-server inter 1s
   server  web01 10.0.0.8:443 check ssl verify none
   server  web02 10.0.0.12:443 check ssl verify none

不需要其他前端或後端。

引用自:https://serverfault.com/questions/943153