我正在尝试使用haproxy来处理REQ_SSL_SNI和SSL终止。
我遵循的指南 https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ https://stuff-things.net/2016/11/30/haproxy-sni/
设定: HA-Proxy版本1.6.3 Ubuntu 16.04
日志生成以下内容:
HTTP-in~http-in / NOSRV-1 / -1 / 12 0 SC 0/0/0/0/0 0/0
配置:
frontend http-in
bind *:443 ssl crt /etc/haproxy/certs/
log global
reqadd X-Forwarded-Proto:\ https
mode tcp
option tcplog
# wait up to 5 seconds from the time the tcp socket opens
# until the hello packet comes in (otherwise fallthru to the default)
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl is_site1 req_ssl_sni -i foo.foobar.com
acl is_site2 req_ssl_sni -i foobar.com
use_backend www-foo-foobar if is_site1
use_backend www-foobar if is_site2
backend www-foo-foobar
log global
mode tcp
option tcplog
redirect scheme https if !{ ssl_fc }
server www-1 127.0.0.1:3030 check
backend www-foobar
log global
mode tcp
option tcplog
redirect scheme https if !{ ssl_fc }
server www-1 127.0.0.1:5000 check
我错过了什么?
有人能指出我正确的方向吗?
答案 0 :(得分:0)
使用以下ACL解决了我的问题:
acl is_site1 ssl_fc_sni foo.foobar.com