Reverse-Proxy
HAProxy 反向代理配置 - 基於子域選擇後端
我正在嘗試製作一個簡單的反向代理根據 URL 選擇後端。
503 Service Unavailable. No server is available to handle this request.
嘗試此操作時,我不斷收到錯誤消息。任何幫助,將不勝感激!
我想輸入 nc.mydomain.com 並將我的請求轉發到我的 nextcloud 伺服器(稍後我將添加其他子域和域)。這是我的配置:
haproxy.cfg
:global log /dev/log local0 log /dev/log local1 notice daemon ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 no-tlsv10 defaults mode http log global option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http option forwardfor if-none frontend for-letsencrypt bind :80 acl isletsencrypt path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if isletsencrypt backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 frontend public-web-in mode http bind :80 bind :443 ssl crt /etc/letsencrypt/live/nc.mydomain.com/nc-haproxy.pem alpn h2,http/1.1 redirect scheme https if !{ ssl_fc } acl isnextcloud req.hdr(Host) -i -m str nc.mydomain.com use_backend ncserver if isnextcloud default_backend myrouter backend ncserver description My Nextcloud server server nc1 192.168.1.28:80 send-proxy ssl verify none backend myrouter description My default backend server server router 192.168.1.1:80 send-proxy
我將日誌記錄級別設置為調試,這是來自
/var/log/haproxy.log
:Jan 31 10:36:58 haproxy haproxy[3706]: [WARNING] 030/103658 (3706) : Exiting Master process... Jan 31 10:36:58 haproxy haproxy[3706]: [ALERT] 030/103658 (3706) : Current worker #1 (3707) exited with code 143 (Terminated) Jan 31 10:36:58 haproxy haproxy[3706]: [WARNING] 030/103658 (3706) : All workers exited. Exiting... (143) Jan 31 10:36:58 haproxy haproxy[4964]: [WARNING] 030/103658 (4964) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy for-letsencrypt started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy for-letsencrypt started. Jan 31 10:36:58 haproxy haproxy[4964]: [NOTICE] 030/103658 (4964) : New worker #1 (4965) forked Jan 31 10:36:58 haproxy haproxy[4964]: Proxy letsencrypt-backend started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy letsencrypt-backend started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy public-web-in started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy public-web-in started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy ncserver started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy ncserver started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy myrouter started. Jan 31 10:36:58 haproxy haproxy[4964]: Proxy myrouter started. Jan 31 10:37:42 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:39.272] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 1/1/0/0/3 0/0 "GET / HTTP/1.1" Jan 31 10:37:42 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:39.272] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 1/1/0/0/3 0/0 "GET / HTTP/1.1" Jan 31 10:37:45 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:42.764] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 1/1/0/0/3 0/0 "GET /favicon.ico HTTP/1.1" Jan 31 10:37:45 haproxy haproxy[4965]: 123.45.67.890:45204 [31/Jan/2019:10:37:42.764] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 1/1/0/0/3 0/0 "GET /favicon.ico HTTP/1.1" Jan 31 10:38:42 haproxy haproxy[4964]: [WARNING] 030/103842 (4964) : Exiting Master process... Jan 31 10:38:42 haproxy haproxy[4964]: [ALERT] 030/103842 (4964) : Current worker #1 (4965) exited with code 143 (Terminated) Jan 31 10:38:42 haproxy haproxy[4964]: [WARNING] 030/103842 (4964) : All workers exited. Exiting... (143) Jan 31 10:38:42 haproxy haproxy[4977]: [WARNING] 030/103842 (4977) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy for-letsencrypt started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy for-letsencrypt started. Jan 31 10:38:42 haproxy haproxy[4977]: [NOTICE] 030/103842 (4977) : New worker #1 (4978) forked Jan 31 10:38:42 haproxy haproxy[4977]: Proxy letsencrypt-backend started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy letsencrypt-backend started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy public-web-in started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy public-web-in started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy ncserver started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy ncserver started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy myrouter started. Jan 31 10:38:42 haproxy haproxy[4977]: Proxy myrouter started. Jan 31 10:38:50 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:47.493] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1" Jan 31 10:38:50 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:47.493] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1" Jan 31 10:38:53 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:50.563] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1" Jan 31 10:38:53 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:38:50.563] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1" Jan 31 10:39:33 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:30.343] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1" Jan 31 10:39:33 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:30.343] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 2/2/0/0/3 0/0 "GET / HTTP/1.1" Jan 31 10:39:36 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:33.489] public-web-in~ ncserver/nc1 0/0/-1/-1/3004 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1" Jan 31 10:39:36 haproxy haproxy[4978]: 123.45.67.890:46022 [31/Jan/2019:10:39:33.489] public-web-in~ ncserver/nc1 0/0/-1/-1/3004 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /favicon.ico HTTP/1.1" Jan 31 10:40:04 haproxy haproxy[4978]: 123.45.67.890:49065 [31/Jan/2019:10:40:01.584] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1" Jan 31 10:40:04 haproxy haproxy[4978]: 123.45.67.890:49065 [31/Jan/2019:10:40:01.584] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1" Jan 31 10:40:06 haproxy haproxy[4978]: 123.45.67.890:55079 [31/Jan/2019:10:40:03.805] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "PROPFIND /remote.php/dav/files/sarah/ HTTP/1.1" Jan 31 10:40:06 haproxy haproxy[4978]: 123.45.67.890:55079 [31/Jan/2019:10:40:03.805] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "PROPFIND /remote.php/dav/files/sarah/ HTTP/1.1" Jan 31 10:40:11 haproxy haproxy[4978]: 123.45.67.890:44558 [31/Jan/2019:10:40:11.772] public-web-in/2: SSL handshake failure Jan 31 10:40:11 haproxy haproxy[4978]: 123.45.67.890:44558 [31/Jan/2019:10:40:11.772] public-web-in/2: SSL handshake failure Jan 31 10:40:14 haproxy haproxy[4978]: 123.45.67.890:54795 [31/Jan/2019:10:40:11.880] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 4/4/2/0/3 0/0 "GET /status.php HTTP/1.1" Jan 31 10:40:14 haproxy haproxy[4978]: 123.45.67.890:54795 [31/Jan/2019:10:40:11.880] public-web-in~ ncserver/nc1 0/0/-1/-1/3005 503 213 - - SC-- 4/4/2/0/3 0/0 "GET /status.php HTTP/1.1" Jan 31 10:40:16 haproxy haproxy[4978]: 123.45.67.890:39289 [31/Jan/2019:10:40:13.649] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1" Jan 31 10:40:16 haproxy haproxy[4978]: 123.45.67.890:39289 [31/Jan/2019:10:40:13.649] public-web-in~ ncserver/nc1 0/0/-1/-1/3007 503 213 - - SC-- 3/3/1/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1" Jan 31 10:40:20 haproxy haproxy[4978]: 123.45.67.890:52104 [31/Jan/2019:10:40:17.071] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1" Jan 31 10:40:20 haproxy haproxy[4978]: 123.45.67.890:52104 [31/Jan/2019:10:40:17.071] public-web-in~ ncserver/nc1 0/0/-1/-1/3006 503 213 - - SC-- 2/2/0/0/3 0/0 "GET /ocs/v2.php/core/navigation/apps?absolute=true&format=json HTTP/1.1"
SSL 握手失敗看起來是在代理的前端,可能是無關的。
這裡最有價值的資訊是
SC--
——這個欄位被稱為斷開連接時的會話狀態,這裡提供的資訊的價值很難誇大。成功請求時設置為----
。該值
SC--
表示您的後端伺服器拒絕目標埠上的連接,並且問題很早就發生了,在 HTTP 請求可以通過連接發送到後端之前(足夠明智,因為沒有建立連接)。請注意,對於這個後端,您似乎已經進行了
ssl
配置,因此伺服器的地址可能應該設置為埠 443,而不是 80。您尚未在後端啟用任何健康檢查,因此 HAProxy 不知道它已關閉/無法訪問/停止/不可訪問/錯誤配置/防火牆,並嘗試向其發送請求。
當然,這些都失敗了,HAProxy 將內容寫入
/etc/haproxy/errors/503.http
線路以向客戶端發出失敗信號。無關緊要,一定要明白什麼
send-proxy
意思。如果您需要,這是一個很棒的功能,但在您的配置中並不需要它,因為您在第 7 層模式下執行代理。您可以改為添加option forwardfor
以設置X-Forwarded-For
標題。