LINUX.ORG.RU
ФорумAdmin

Load balancing c HAproxy и Nginx

 ,


0

1

HAproxy настроен с 2 load balancing серверами и 2-мя backend серверами с Nginx и удачно работает при использовании 80 порта и такой конфигурации:

haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RS
A+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http                                                                                                                   
        option  httplog                                                                                                                
        option  dontlognull                                                                                                            
        option forwardfor                                                                                                              
        option http-server-close
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http
        bind ip-address-1:80
        default_backend my_pool

backend my_pool
        server backend-1 private-ip-address-1:80 check
        server backend-2 private-ip-address-2:80 check
        balance source

Конфигурация Nginx на backend-1

server {
    listen privat-ip-address-backend-1:80;
    allow private-ip-address-load-balancer-1;
    allow private-ip-address-load-balancer-2;
    deny all;

    server_name my-server.co;
    root /var/www/my-server.co/;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/my-server.co/server.crt;
    ssl_certificate_key /etc/nginx/ssl/my-server.co/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DH
E-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:EC
DHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA25
6:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA
384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-D
SS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
                                                                                                                                       
    location = /favicon.ico { access_log off; log_not_found off; }                                                                     
    location = /robots.txt  { access_log off; log_not_found off; }
    access_log off;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
                                                                                                                                       
    location ~ /\.ht {                                                                                                                 
        deny all;
    }
}                                                           

Но когда пытаюсь исп-ть 443 порт нормально в браузере открывается сайт только по http, при https появляется ошибка:

An error occurred during a connection to ip-address. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

При этом конфигурация такая: haproxy.cfg

.......................................................
frontend http
        bind ip-address-1:443
        default_backend my_pool

backend my_pool
        server backend-1 private-ip-address-1:443 check
        server backend-2 private-ip-address-2:443 check
        balance source

Конфигурация Nginx на backend-1

server {
    listen privat-ip-address-backend-1:443;
    allow private-ip-address-load-balancer-1;
    allow private-ip-address-load-balancer-2;
    deny all;
................................................

Может нужно изменить ssl-default-bind-ciphers в haproxy.cfg?

Вы пытаетесь реализовать SSL-bridging? Если да, то обычно это делается так:

frontend ft_myapp
 bind 10.0.0.1:443 ssl crt myapp.pem
 mode http
 default_backend bk_myapp

backend bk_myapp
 mode http
 option forwardfor
 server app1 10.0.0.11:443 ssl verify none

vwvol
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.