This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
решение_haproxy [2011/12/05 12:38] val created |
решение_haproxy [2024/04/09 11:27] (current) val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Решение HAProxy ====== | ====== Решение HAProxy ====== | ||
- | [[http://ajohnstone.com/achives/running-several-vips-on-the-same-interface-with-ucarp-and-haproxy/]] | + | * [[https://www.leaderssl.ru/articles/354-vypolnyaem-ssl-terminatsiyu-s-pomoschyu-haproxy-dlya-ubuntu-14-04|Выполняем SSL-терминацию с помощью HAProxy для Ubuntu 14.04]] |
+ | * [[https://www.haproxy.com/documentation/haproxy-configuration-tutorials/http-rewrites/|HAProxy config tutorials HTTP rewrites]] | ||
+ | * [[https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy|Configure multiple SSL certificates in Haproxy]] | ||
+ | * [[https://youtu.be/oIczkkD-hOU|Видео урок: Доступ к приложениям в Bare-Metal Kubernetes]] | ||
+ | |||
+ | <code> | ||
+ | gate# apt install haproxy | ||
+ | |||
+ | gate# cat wild.crt wild.key > /etc/ssl/private/wild.crtkey | ||
+ | gate# ###cat gowebd.crt gowebd.key > /etc/ssl/private/gowebd.crtkey | ||
+ | gate# ###cat keycloak.crt keycloak.key > /etc/ssl/private/keycloak.crtkey | ||
+ | |||
+ | gate# cat /etc/haproxy/haproxy.cfg | ||
+ | </code><code> | ||
+ | ... | ||
+ | frontend ft-gate | ||
+ | mode http | ||
+ | |||
+ | bind *:80 | ||
+ | redirect scheme https code 301 if !{ ssl_fc } | ||
+ | |||
+ | bind *:443 ssl crt /etc/ssl/private/wild.crtkey | ||
+ | # bind *:443 ssl crt /etc/ssl/private/gowebd.crtkey crt /etc/ssl/private/keycloak.crtkey | ||
+ | |||
+ | default_backend bk-kube-ingress | ||
+ | # use_backend bk-kube-ingress if { ssl_fc_sni keycloak.corp13.un } | ||
+ | # use_backend bk-node-ingress if { ssl_fc_sni gowebd.corp13.un } | ||
+ | |||
+ | option tcplog | ||
+ | |||
+ | backend bk-kube-ingress | ||
+ | |||
+ | # http-request set-header X-Forwarded-Proto https if { ssl_fc } | ||
+ | # http-request set-header X-Forwarded-Host %[req.hdr(Host)] | ||
+ | # http-request set-header X-Forwarded-Port %[dst_port] | ||
+ | |||
+ | ## http-request add-header X-Real-Ip %[src] # Custom header with src IP | ||
+ | ## option forwardfor # X-forwarded-for | ||
+ | ## http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if { ssl_fc } | ||
+ | |||
+ | mode http | ||
+ | balance roundrobin | ||
+ | |||
+ | server kube1 kube1:80 check | ||
+ | server kube2 kube2:80 check | ||
+ | server kube3 kube3:80 check | ||
+ | |||
+ | #backend bk-node-ingress | ||
+ | # mode http | ||
+ | # balance roundrobin | ||
+ | # server node2 node2:80 check | ||
+ | # server node3 node3:80 check | ||
+ | </code><code> | ||
+ | # haproxy -f /etc/haproxy/haproxy.cfg -c | ||
+ | Configuration file is valid | ||
+ | |||
+ | # service haproxy restart | ||
+ | |||
+ | # tail -f /var/log/haproxy.log | ||
+ | # journalctl -f | grep proxy | ||
+ | |||
+ | haproxy# curl https://localhost/ -H "Host: gowebd.corpX.un" -k | ||
+ | </code> | ||