Ssl

HAPROXY : <NOSRV> PR - TLS 終止失敗

  • October 18, 2020

我在這裡發帖,因為我正在嘗試將 HAProxy 設置為具有 SSL/TLS 終止的反向代理,並且在日誌中出現以下錯誤:

Oct 17 12:10:03 localhost haproxy[2789]: xxx.xxx.xxx.xxx:33724 [17/Oct/2020:12:10:03.784] www-https www-https/&lt;NOSRV&gt; -1/-1/-1/-1/0 400 188 - - PR-- 1/1/0/0/0 0/0 "&lt;BADREQ&gt;"

而且我不明白為什麼 HAProxy 會阻止請求。

你可以幫幫我嗎 ?

這是我的 haproxy.cfg :

global
       log /dev/log    local0
       log /dev/log    local1 notice
       chroot /var/lib/haproxy
       stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
       stats timeout 5s
       user haproxy
       group haproxy
       daemon

       tune.ssl.default-dh-param 4096

defaults
       log     global
       mode    http
       option  httplog
       option  dontlognull
       option forwardfor
       option http_proxy
       timeout connect 5000
       timeout client  50000
       timeout server  5000 
       stats enable
       stats hide-version
       stats refresh 5s
       stats uri /hastats



frontend www-http
       bind *:80
       reqadd X-Forwarded-Proto:\ http
       default_backend www-backend

       # Test URI to see if its a letsencrypt request
       acl letsencrypt-acl path_beg /.well-known/acme-challenge/
       use_backend letsencrypt-backend if letsencrypt-acl


frontend www-https
       bind *:8000-9000 crt /etc/haproxy/certs/www.example.com.pem
       bind *:443 crt /etc/haproxy/certs/www.example.com.pem
       reqadd X-Forwarded-Proto:\ https
       default_backend www-backend


backend www-backend
       mode http
       http-request set-header X-Forwarded-For %[src]
       reqadd X-Forwarded-Proto:\ https
       option http-server-close
       balance roundrobin
       redirect scheme https if !{ ssl_fc }
       server web1 xxx.xxx.xxx.101:80 check
       server web2 xxx.xxx.xxx.102:80 check

backend letsencrypt-backend
       server letsencrypt 127.0.0.1:8080

www-https在前端bind線上添加ssl之前crt。沒有ssl它,它就像普通的 HTTP 一樣工作。所以:

bind *:443 ssl crt /etc/haproxy/certs/www.example.com.pem

引用自:https://serverfault.com/questions/1039077