Ssl

Haproxy(SSL)背後的Gitlab

  • December 12, 2016

我們有一個具有典型配置的虛擬化伺服器(esxi):

$$ Client $$https ->$$ pfsense -> haproxy $$- http ->$$ vm $$ 現在我正在嘗試用 gitlab 配置一個新的虛擬伺服器,但我找不到正確的配置,在私有網路 gitlab 內工作正常,但是當我嘗試從外部訪問時,haproxy 響應 503 錯誤。在閱讀並嘗試了幾個配置後,我無法使其工作,我確信這是 nginx 問題(或者我認為),因為如果在同一台伺服器上我安裝 apache(只是為了測試)該伺服器從外部正常工作。

目標是這樣的:

$$ Client $$https ->$$ pfsense -> haproxy $$- http ->$$ gitlab $$ Pfsense 有 ipen 埠 80 和 443(我不確定我們是否需要打開另一個到 ssh 或 unicorn)

一些配置:

gitlab.rc
external_url 'https://mydomain.extension'

Haproxy(適用於其他虛擬機)

global
maxconn         10000
stats socket /tmp/haproxy.socket level admin
uid         80
gid         80
nbproc          1
chroot          /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param   2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

frontend http_redirectTo_https
   bind            publicIP:80 name publicIP:80   
   mode            http
   log         global
   option          httpclose
   option          forwardfor
   acl https ssl_fc
   http-request set-header     X-Forwarded-Proto http if !https
   http-request set-header     X-Forwarded-Proto https if https
   timeout client      30000
   redirect scheme https code 301 if !{ ssl_fc }

frontend https_input
   bind            publicIP:443 name publicIP:443 ssl ssl  crt /certs/certific.pem no-sslv3 crt /var/etc/haproxy/https_frontend.pem  
   mode            http
   log         global
   option          http-keep-alive
   timeout client      30000
   acl         aclAdm  hdr(host) -i adm.domain.ext
   acl         aclOne  hdr(host) -i one.domain.ext
   acl         aclTwo  hdr(host) -i two.domain.ext
   acl         aclGit  hdr(host) -i git.domain.ext
   use_backend adm_backend_http_ipvANY  if  aclAdm 
   use_backend one_backend_http_ipvANY  if  aclOne 
   use_backend two_backend_http_ipvANY  if  aclTwo
   use_backend git_backend_http_ipvANY  if  aclGit

我刪除了其他後端

backend git_backend_http_ipvANY
   mode            http
   log         global
   balance         leastconn
   timeout connect     30000
   timeout server      30000
   retries         3
   option          httpchk OPTIONS / 
   option forwardfor
   option http-server-close
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
   server          gitServer private_ip:80 check inter 1000

我猜是nginx的問題,謝謝!

問題是,haproxy 沒有檢測到伺服器,所以我們懷疑健康檢查配置是錯誤的:

option          httpchk OPTIONS / 

我只是將其更改為基本檢查和 haproxy 正確檢測伺服器,事實上,工作正常。

引用自:https://serverfault.com/questions/820114