This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
решение_haproxy [2023/11/27 05:49] val |
решение_haproxy [2024/03/11 13:14] val |
||
---|---|---|---|
Line 2: | Line 2: | ||
* [[https://www.leaderssl.ru/articles/354-vypolnyaem-ssl-terminatsiyu-s-pomoschyu-haproxy-dlya-ubuntu-14-04|Выполняем SSL-терминацию с помощью HAProxy для Ubuntu 14.04]] | * [[https://www.leaderssl.ru/articles/354-vypolnyaem-ssl-terminatsiyu-s-pomoschyu-haproxy-dlya-ubuntu-14-04|Выполняем SSL-терминацию с помощью HAProxy для Ubuntu 14.04]] | ||
+ | * [[https://www.haproxy.com/documentation/haproxy-configuration-tutorials/http-rewrites/|HAProxy config tutorials HTTP rewrites]] | ||
+ | * [[https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy|Configure multiple SSL certificates in Haproxy]] | ||
<code> | <code> | ||
- | # apt install haproxy | + | gate# apt install haproxy |
- | # cat /etc/haproxy/haproxy.cfg | + | gate# cat wild.crt wild.key > /etc/ssl/private/wild.crtkey |
+ | gate# ###cat gowebd.crt gowebd.key > /etc/ssl/private/gowebd.crtkey | ||
+ | gate# ###cat keycloak.crt keycloak.key > /etc/ssl/private/keycloak.crtkey | ||
+ | |||
+ | gate# cat /etc/haproxy/haproxy.cfg | ||
</code><code> | </code><code> | ||
... | ... | ||
- | frontend kubernetes-apiserver | + | frontend ft-gate |
- | mode http | + | mode http |
- | bind *:83 | + | |
- | # bind *:443 ssl crt /etc/ssl/private/gate.crtkey | + | |
- | option tcplog | + | |
- | default_backend kubernetes-apiserver | + | |
- | backend kubernetes-apiserver | + | bind *:80 |
+ | redirect scheme https code 301 if !{ ssl_fc } | ||
+ | |||
+ | bind *:443 ssl crt /etc/ssl/private/wild.crtkey | ||
+ | # bind *:443 ssl crt /etc/ssl/private/gowebd.crtkey crt /etc/ssl/private/keycloak.crtkey | ||
+ | |||
+ | default_backend bk-kube-ingress | ||
+ | # use_backend bk-kube-ingress if { ssl_fc_sni keycloak.corp13.un } | ||
+ | # use_backend bk-node-ingress if { ssl_fc_sni gowebd.corp13.un } | ||
+ | |||
+ | option tcplog | ||
+ | |||
+ | backend bk-kube-ingress | ||
- | # http-request add-header X-Real-Ip %[src] # Custom header with src IP | ||
# http-request set-header X-Forwarded-Proto https if { ssl_fc } # For Proto | # http-request set-header X-Forwarded-Proto https if { ssl_fc } # For Proto | ||
# http-request set-header X-Forwarded-Host %[req.hdr(Host)] | # http-request set-header X-Forwarded-Host %[req.hdr(Host)] | ||
# http-request set-header X-Forwarded-Port %[dst_port] | # http-request set-header X-Forwarded-Port %[dst_port] | ||
- | # option forwardfor # X-forwarded-for | + | |
- | # http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if { ssl_fc } | + | ## http-request add-header X-Real-Ip %[src] # Custom header with src IP |
+ | ## option forwardfor # X-forwarded-for | ||
+ | ## http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if { ssl_fc } | ||
mode http | mode http | ||
balance roundrobin | balance roundrobin | ||
- | server node1 node1:30758 check | + | |
- | server node2 node2:30758 check | + | server kube1 kube2:80 check |
- | server node3 node3:30758 check | + | server kube2 kube2:80 check |
+ | server kube3 kube3:80 check | ||
+ | |||
+ | #backend bk-node-ingress | ||
+ | # mode http | ||
+ | # balance roundrobin | ||
+ | # server node2 node2:80 check | ||
+ | # server node3 node3:80 check | ||
</code><code> | </code><code> | ||
# haproxy -f /etc/haproxy/haproxy.cfg -c | # haproxy -f /etc/haproxy/haproxy.cfg -c | ||
Line 36: | Line 58: | ||
# service haproxy restart | # service haproxy restart | ||
+ | # tail -f /var/log/haproxy.log | ||
# journalctl -f | grep proxy | # journalctl -f | grep proxy | ||
- | # curl http://localhost:83/ | + | haproxy# curl https://localhost/ -H "Host: gowebd.corpX.un" -k |
</code> | </code> | ||