Haproxy-1.5.x SSL配置

一直使用haproxy-1.4版本代理, 不支持ssl配置，haproxy-1.5版本支持，于是更新了版本进行测试。所使用的证书文件，使用原apache ssl证书文件进行简单处理可以在haproyx上使用。 

本来想使用haproxy-1.4的穿透的，但是要后端服务器均要配置ssl，于是配置在了Haproyx-1.5上，实现ssl终端CA认证。

1. 安装

# yum install pcre-devel openssl-devel -y

# tar zxvf haproxy-1.5.3.tar.gz

# cd haproxy-1.5.3

# make TARGET=linux26 USE_STATIC_PCRE=1 USE_REGPARM=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64

# make install PREFIX=/usr/local/haproxy

# cd /usr/local/haproxy

# mkdir conf 

2. 准备pem证书文件

之前有配置过apache ssl CA认证配置文件，cer文件与key文件，pem文件就是将前面两个文件合并使用。

# cat my-server.cer my-server.key | tee my-server.pem 

-----BEGIN CERTIFICATE----- MIID3zCCA0igAwIBAgIPBwACIBQBFAAAAAACFUN1MA0GCSqGSIb3DQEBBQUAMIIB JDENMAsGA1UEBh4EAEMATjEbMBkGA1UECB4SAEcAdQBhAG4AZwBkAG8AbgBnMRsw GQYDVQQHHhIARwB1AGEAbgBnAHoAaABvAHUxPTA7BgNVBAoeNABHAEQAQwBBACAA QwBlAHIAdABpAGYAaQBjAGEAdABlACAAQQB1AHQAaABvAHIAaQB0AHkxRzBFBgNV BAsePgBHAHUAYQBuAGcAZABvAG4AZwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAg AEEAdQB0AGgAbwByAGkAdAB5MVEwTwYDVQQDHkgARwBEAEMAQQAgAEcAdQBhAG4A ZwBkAG8AbgBnACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAQQB1AHQAaABvAHIA aQB0AHkwHhcNMTQwMTEzMTYwMDAwWhcNMTkwMTMwMTYwMDAwWjCBrjENMAsGA1UE Bh4EAEMATjEPMA0GA1UECB4GbXdTV3cBMQ8wDQYDVQQHHgZtd1PjXgIxKTAnBgNV BAoeIG0LbWZ z21OXwBT0VM6e6F0BlnUVFhPGk/hYG9OLV/DMSkwJwYDVQQLHiBt C21mfs9tTl8AU9FTOm0LbWZZJ1OmADEANAAwADFbpDElMCMGA1UEAx4cADEAOQAy AC4AMQA2ADgALgAyADMAMAAuADgANTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAz6XQgc/UBi/LtJh1BXTGxAyuWZY0nfkzPlv8cf2bRCMKadnM iJ9PKv8mnpU TgKe6 c5zjqy sTk6KEYVMMROY4InrykZY/7tA dk lqECU fQ bNAzLh5yPp6Ni 2KzeG1V6/tF9t7syz8UWy6Bxgvdg3gu M9vcpZUaD3NjsnECAwEAAaOBhTCBgjAf BgNVHSMEGDAWgBR3QwkQ9xWLOrAR0kx7B5QE8BRURjAdBgNVHQ4EFgQUUN8BHs4A rNrjCV9uSaeMw0/Fw/8wCwYDVR0PBAQDAgQwMBYGBSpWCwcBBA0xC4AJMjAxNDAx MTQxMBsGBSpWFQEDBBIwMDcxMTIwMTQwMTE0Njg2NDkwDQYJKoZIhvcNAQEFBQAD gYEAeKrIQ0u1cmgUz8qwW07VF1s6q fKJf6OJnRDWshsG7ZRSJH2rZx7oohpZQJk DUpLOGbvplXGFgyXCeQYyJSiStis0Ef6Jr1Y3iOjIrn7zASCu9EjuUSCreyF7w8c 4e4At2IMrUUTo UZAiYRfqfMKpP7gYUY0LNmq2AEDbU4Fb0= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDPpdCBz9QGL8u0mHUFdMbEDK5ZljSd TM W/xx/ZtEIwpp2cz6 In08q/yaelROAp7r5znOOrL6xOTooRhUwxE5jgievKRlj/u0D52T6WoQJT59D5s0 DMuHnI no2LYrN4bVXr 0X23uzLPxRbLoHGC92DeC74z29yllRoPc2OycQIDAQAB AoGBALIBDiZJ BM5o H0E9USj1X/HPM1fXOy7gfWKSm64wBdHY8yI7KGIGADe68d kOmy 3N1K6urzESGx0jY2JfJBRiKR3QW fEL5UBhj/PC5Nj9OMxwEK0WqYlfhivx EpPycuwKhDN7aYcGJIK/J38j4Q8G383wDev1Sl9beLRoqs FAkEA LtkdOVU8hfa Xx44Tl6PxsY25LWunjuoUu6KZOWLvsAJK CGV91oZAJk QwXIZj8tDjPAGrcvHMM cENwrvFWuwJBANW3GKsHELMTzJumKUXlSPDlU5xGn7H2PQOc FaYuinK6K94E55t E7MN6Oe 1avOTLYlRVsv2klPUkK1DlrOxsMCQBEFmgFZ9G9A7KPXyJisZgB/biBG wrV3dbR/OJ9hCig6siX7jpYSw McOtbEWgzlkF2xCZGIvqRy5yYDp4GBaKMCQQDQ 0F X7AVTE8tdYZL KjOEvG1fSloKpg jkiHLatqqrwl/ORHiP615y N/W6Smg6HM bso/eJgN/STg7MsjytnFAkAVwZMhaoIWIocbyoA3eUQVIrUDynDMq27TDFwltvaL ihOkwBYuzDujgOBLwY pLg6SqphDhgP92OCg VVqty02 -----END RSA PRIVATE KEY-----

3. 创建配置文件

# vi /usr/local/haproxy/conf/haproxy.cfg

global

log 127.0.0.1 local0

maxconn 65535

chroot /usr/local/haproxy

uid 99

gid 99

stats socket /usr/local/haproxy/HaproxSocket level admin

daemon

nbproc 1

pidfile /usr/local/haproxy/haproxy.pid

#debug

tune.ssl.default-dh-param 2048

defaults

log 127.0.0.1 local3

mode http

option httplog

option httplog clf

option httpclose

option dontlognull

option forwardfor

option redispatch

retries 2

maxconn 2000

balance source

#balance roundrobin

stats uri /haproxy-stats

stats refresh 10s

timeout client 60s

timeout connect 9s

timeout server 30s

timeout check 5s

listen TEST_APP_Cluster

bind *:80

mode http

option httpchk GET /test.html HTTP/1.0rnHost:192.168.10.180

server node01 192.168.0.100:100 weight 3 check inter 2000 rise 2 fall 1

server node02 192.168.0.101:100 weight 3 backup check inter 2000 rise 2 fall 1

listen TEST_APP_SSL

bind *:443 ssl crt /usr/local/haproxy/conf/my-server.pem

reqadd X-Forwarded-Proto: https

mode http

option httpchk GET /test.html HTTP/1.0rnHost:192.168.10.180

server node01 192.168.0.100:100 weight 3 check inter 2000 rise 2 fall 1

server node02 192.168.0.101:100 weight 3 backup check inter 2000 rise 2 fall 1

listen stats_auth 0.0.0.0:91

stats enable

stats uri /admin

stats realm "HA_CONSOLE"

stats auth admin:123456

stats hide-version

stats refresh 10s

stats admin if TRUE

启动端口截图

4. 配置要点

由于证书采用2048长度配置，默认配置文件会报错，加上tune.ssl.default-dh-param 2048参数后，问题解决，采用pem格式的证书还可以通过haproxy-1.4 stunnel方式实现ssl功能。