共计 3683 个字符,预计需要花费 10 分钟才能阅读完成。
我们讲到,使用 Nginx 实现多域名证书 HTTPS(http://www.linuxidc.com/Linux/2015-12/126539.htm), 通过重新编译 Nginx 实现 TLS SNI Support 打开,那么使用 Haproxy 如何实现呢?
要求:
Haproxy 必须要 1.5 以上的版本
第一步:openssl 的安装
tar zxf openssl-0.9.8zh.tar.gz
cd openssl-0.9.8zh
./config enable-tlsext –prefix=/usr/local/openssl no-shared
make && make install_sw
# 以上安装不影响系统中的 openssl 版本,主要就是打开 openssl 的 TLS SNI 功能
第二步:Haproxy 的安装
tar zxf haproxy-1.5.15.tar.gz
cd haproxy-1.5.15
make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64 PREFIX=/usr/local/haproxy1.5.15 SSL_INC=/usr/local/openssl/include SSL_LIB=/usr/local/openssl/lib ADDLIB=-ldl
make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64 PREFIX=/usr/local/haproxy1.5.15 SSL_INC=/usr/local/openssl/include SSL_LIB=/usr/local/openssl/lib ADDLIB=-ldl install
# 记得上面要指定 openssl 的地址,haproxy 没有 config 这步
第三步:生成证书
[root@gz122haproxy95 ~]# mkdir ~/keys
[root@gz122haproxy95 keys]# cd ~/keys
[root@gz122haproxy95 keys]# openssl genrsa -out passport.abc.com.key 2048
[root@gz122haproxy95 keys]# openssl req -new -key passport.abc.com.key -out passport.abc.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CN #国家
State or Province Name (full name) [Berkshire]:GuangDong #省份
Locality Name (eg, city) [Newbury]:ShenZhen #城市
Organization Name (eg, company) [My Company Ltd]:Test.Inc #公司名称
Organizational Unit Name (eg, section) []:passport.abc.com #组织名称
Common Name (eg, your name or your server’s hostname) []:passport.abc.com #域名
Email Address []:passport@abc.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@gz122haproxy95 keys]# openssl x509 -req -days 3650 -in passport.abc.com.csr -signkey passport.abc.com.key -out passport.abc.com.crt
[root@gz122haproxy95 keys]# cat passport.abc.com.crt passport.abc.com.key |tee passport.abc.com.pem
按照以上方法依次生成 www.test.com admin.abc.com 的证书文件,每个站点最后会有一个 pem 文件生成
配置 Haproxy 的配置文件:
frontend http_server
bind :80
bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem
#按照如上规则如果多个站点就可以使用同样的规则 bind :443 ssl crt $filepath crt $file2path crt $file3path
mode http
acl ssl hdr_reg(host) -i ^(www.test.com|admin.test.com|passport.abc.com)$
redirect scheme https code 301 if !{ssl_fc} ssl
#对以上站点进行 https 跳转
acl wwwtest_com hdr_reg(host) -i $(
use_backend www_test_com if wwwtest_com {ssl_fc_sni www.test.com}
#这里就是证书的对应部分,如
acl admintest_com hdr_dom(host) -i admin.test.com
use_backend admin_test_com if admintest_com {ssl_fc_sni admin.test.com}
acl passportabc_com hdr_dom(host) -i passport.abc.com
use_backend pasport_abc_com if passport_abc_com {ssl_fc_sni passport.abc.com}
backend www_test_com
server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1
backend admin_test_com
server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1
backend passport_abc_com
server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1
按照以上配置就可以实现多证书的 HTTPS,依次访问上面的访问会发现,相关的证书与之配对。
Haproxy+Keepalived 搭建 Weblogic 高可用负载均衡集群 http://www.linuxidc.com/Linux/2013-09/89732.htm
Keepalived+HAProxy 配置高可用负载均衡 http://www.linuxidc.com/Linux/2012-03/56748.htm
CentOS 6.3 下 Haproxy+Keepalived+Apache 配置笔记 http://www.linuxidc.com/Linux/2013-06/85598.htm
Haproxy + KeepAlived 实现 WEB 群集 on CentOS 6 http://www.linuxidc.com/Linux/2012-03/55672.htm
Haproxy+Keepalived 构建高可用负载均衡 http://www.linuxidc.com/Linux/2012-03/55880.htm
使用 HAProxy 配置 HTTP 负载均衡器 http://www.linuxidc.com/Linux/2015-01/112487.htm
HAproxy 的详细介绍 :请点这里
HAproxy 的下载地址 :请点这里
本文永久更新链接地址 :http://www.linuxidc.com/Linux/2015-12/126538.htm
