Ssl
Haproxy(SSL)背後的Gitlab
我們有一個具有典型配置的虛擬化伺服器(esxi):
$$ Client $$https ->$$ pfsense -> haproxy $$- http ->$$ vm $$ 現在我正在嘗試用 gitlab 配置一個新的虛擬伺服器,但我找不到正確的配置,在私有網路 gitlab 內工作正常,但是當我嘗試從外部訪問時,haproxy 響應 503 錯誤。在閱讀並嘗試了幾個配置後,我無法使其工作,我確信這是 nginx 問題(或者我認為),因為如果在同一台伺服器上我安裝 apache(只是為了測試)該伺服器從外部正常工作。
目標是這樣的:
$$ Client $$https ->$$ pfsense -> haproxy $$- http ->$$ gitlab $$ Pfsense 有 ipen 埠 80 和 443(我不確定我們是否需要打開另一個到 ssh 或 unicorn)
一些配置:
gitlab.rc external_url 'https://mydomain.extension'
Haproxy(適用於其他虛擬機)
global maxconn 10000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK frontend http_redirectTo_https bind publicIP:80 name publicIP:80 mode http log global option httpclose option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 redirect scheme https code 301 if !{ ssl_fc } frontend https_input bind publicIP:443 name publicIP:443 ssl ssl crt /certs/certific.pem no-sslv3 crt /var/etc/haproxy/https_frontend.pem mode http log global option http-keep-alive timeout client 30000 acl aclAdm hdr(host) -i adm.domain.ext acl aclOne hdr(host) -i one.domain.ext acl aclTwo hdr(host) -i two.domain.ext acl aclGit hdr(host) -i git.domain.ext use_backend adm_backend_http_ipvANY if aclAdm use_backend one_backend_http_ipvANY if aclOne use_backend two_backend_http_ipvANY if aclTwo use_backend git_backend_http_ipvANY if aclGit
我刪除了其他後端
backend git_backend_http_ipvANY mode http log global balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } server gitServer private_ip:80 check inter 1000
我猜是nginx的問題,謝謝!
問題是,haproxy 沒有檢測到伺服器,所以我們懷疑健康檢查配置是錯誤的:
option httpchk OPTIONS /
我只是將其更改為基本檢查和 haproxy 正確檢測伺服器,事實上,工作正常。