Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung | |||
server:haproxy [2020/04/12 11:13] – [Links] st | server:haproxy [2020/08/30 16:30] (aktuell) – st | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== haproxy ====== | ||
+ | |||
+ | haproxy ist ein [[server: | ||
+ | |||
+ | :!: Diese Seite bezieht sich auf haproxy version 1.7. | ||
+ | |||
+ | ===== Links ===== | ||
+ | |||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * [[https:// | ||
+ | |||
+ | |||
+ | ===== Installation ===== | ||
+ | |||
+ | Es sollte möglichst aktuelle Versionen benutzt werden, eine extra Paketquelle bietet sich an um die aktuellste stabile Version zu erhalten die noch nicht in der Distribution enthalten ist: | ||
+ | Für Debian z.B. die [[https:// | ||
+ | |||
+ | |||
+ | ===== Grundlagen ===== | ||
+ | |||
+ | * global: Grundlegende Einstellungen die übergreifend gelten | ||
+ | * defaults: vordefiniterte Einstellungen falls nicht explizit angegeben | ||
+ | * frontend: client -> haproxy | ||
+ | * backend: haproxy -> Server/node | ||
+ | * acls: | ||
+ | |||
+ | ===== Frontends ===== | ||
+ | |||
+ | [[https:// | ||
+ | [[https:// | ||
+ | |||
+ | ==== Statistiken ==== | ||
+ | |||
+ | ... | ||
+ | |||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | |||
+ | Eine Beispiel-Webapp " | ||
+ | |||
+ | < | ||
+ | # Sample Config für haproxy 1.7.x - see documentation: | ||
+ | global | ||
+ | log / | ||
+ | log / | ||
+ | chroot / | ||
+ | stats socket / | ||
+ | stats timeout 30s | ||
+ | user haproxy | ||
+ | group haproxy | ||
+ | daemon | ||
+ | |||
+ | # Default SSL material locations | ||
+ | ca-base / | ||
+ | crt-base / | ||
+ | |||
+ | # default ciphers client <-> haproxy | ||
+ | ssl-default-bind-ciphers EECDH+ECDSA+AESGCM: | ||
+ | # default ciphers haproxy <-> server | ||
+ | ssl-default-server-ciphers EECDH+ECDSA+AESGCM: | ||
+ | ssl-default-bind-options no-sslv3 no-tls-tickets | ||
+ | # SSL DH 2048 (default is 1024 but with warning): | ||
+ | tune.ssl.default-dh-param 2048 | ||
+ | |||
+ | |||
+ | defaults | ||
+ | log | ||
+ | mode http | ||
+ | option | ||
+ | option | ||
+ | |||
+ | timeout connect 5000ms | ||
+ | retries 2 | ||
+ | timeout client 10000ms | ||
+ | timeout server 10000ms | ||
+ | timeout queue 60000ms | ||
+ | timeout http-request 15000ms | ||
+ | timeout http-keep-alive 15000ms | ||
+ | # assign client to other node if his current node dies: | ||
+ | option redispatch | ||
+ | # insert X-Forwarted-For-Header with client-IP: | ||
+ | option forwardfor | ||
+ | # close server-conn, | ||
+ | option http-server-close | ||
+ | |||
+ | errorfile 400 / | ||
+ | errorfile 403 / | ||
+ | errorfile 408 / | ||
+ | errorfile 500 / | ||
+ | errorfile 502 / | ||
+ | errorfile 503 / | ||
+ | errorfile 504 / | ||
+ | |||
+ | #frontend WEBAPP1-http | ||
+ | # bind *:80 | ||
+ | # default_backend WEBAPP1 | ||
+ | # | ||
+ | #frontend WEBAPP1-https | ||
+ | # bind *:443 ssl crt / | ||
+ | # default_backend WEBAPP1 | ||
+ | # # HSTS: | ||
+ | # rspadd Strict-Transport-Security: | ||
+ | |||
+ | frontend WEBAPP1-http-with-redirect-to-https | ||
+ | bind *:80 | ||
+ | bind *:443 ssl crt / | ||
+ | # Redirect if HTTPS is *not* used | ||
+ | redirect scheme https code 301 if !{ ssl_fc } | ||
+ | # HSTS: | ||
+ | rspadd Strict-Transport-Security: | ||
+ | |||
+ | # haproxy stats: | ||
+ | stats enable | ||
+ | stats uri / | ||
+ | stats realm haproxy | ||
+ | stats auth MEIN_BENUTZER: | ||
+ | # stats auth Another_User: | ||
+ | | ||
+ | default_backend WEBAPP1 | ||
+ | |||
+ | |||
+ | backend WEBAPP1 | ||
+ | balance roundrobin | ||
+ | # other options: static Round Robin (static-rr), | ||
+ | # " | ||
+ | server node1 10.0.0.1:80 check maxconn 200 | ||
+ | server node2 10.0.0.2:80 check maxconn 200 | ||
+ | server node3 10.0.0.3:80 check maxconn 200 | ||
+ | |||
+ | # Nodes with SSL and verification of SSL-Traffic (possible: none|all) | ||
+ | # server node1 10.0.0.1: | ||
+ | # server node2 10.0.0.2: | ||
+ | # server node3 10.0.0.1: | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ==== Konfiguration aufteilen ==== | ||
+ | |||
+ | Eine einzige Konfigurationsdatei haproxy.conf wäre allen Einstellungen ist nicht ideal für eine Automatisierung. Die Lösung ist der Parameter " | ||
+ | |||
+ | In der Datei ''/ | ||
+ | < | ||
+ | # Change the config file location if needed, only *.cfg-files are loaded in lexical order! | ||
+ | CONFIG="/ | ||
+ | </ | ||
+ | |||
+ | Nun legen wir die Config-Dateien in / | ||
+ | |||
+ | :!: die globale Konfiguration sollte als erstes eingelesen werden, z.B. bei einer Benennnung mit '' | ||
+ | ==== SNI ==== | ||
+ | |||
+ | FIXME testen, Quelle: https:// | ||
+ | |||
+ | |||
+ | === fallback für nicht-SNI Clients === | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | |||
+ | === wildcard-Angabe bei SNI === | ||
+ | |||
+ | https:// | ||
+ | |||
+ | |||
+ | === unterschiedliche SSL-settings bei SNI === | ||
+ | |||
+ | https:// | ||
+ | |||
+ | |||
+ | * use a different IP or port for each cert (so it is a different bind line and you can therefor apply the configuration you need on a per certificate/ | ||
+ | * if you need everything on a single IP:port combination, | ||
+ | * | ||
+ | Quelle: https:// | ||
+ | |||
+ | |||
+ | < | ||
+ | acl domain_strong_SSL | ||
+ | acl domain_standard_SSL req_ssl_sni -i www.normal.com | ||
+ | |||
+ | use_backend strong_SSL if domain_strong_SSL | ||
+ | use_backend standard_SSL | ||
+ | |||
+ | |||
+ | frontend strong_SSL | ||
+ | bind *:443 ssl crt / | ||
+ | [...] | ||
+ | frontend standard_SSL | ||
+ | bind *:443 ssl crt / | ||
+ | [...] | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== letsencrypt integrieren ==== | ||
+ | |||
+ | https:// | ||
+ | ===== Verwaltung ===== | ||
+ | |||
+ | ...die integrierte Stats-Seite (s.o.) | ||
+ | |||
+ | |||
+ | ==== hatop ==== | ||
+ | |||
+ | apt install hatop | ||
+ | |||
+ | in der haproxy.cfg den stats-socket: | ||
+ | und los gehts:< | ||