pfSense + HAProxy – Reverse Proxy with multiple Services on one internal IP
当前,我在服务器上使用HAProxy软件包使用pfSense,因为我可以通过GUI轻松配置它。
我将HAProxy配置为与本指南相对应的反向代理:https://blog.devita.co/pfsense-to-proxy-traffic-for-websites-using-pfsense/
SSL卸载就像一个魅力。我的问题是,当我在同一内部IP上有多个服务(开放端口)时,似乎无法正常工作。
例:
- 我为Service1配置了service1.domain.com,端口为8000(10.100.10.101:8000),它可以正常工作。
- 现在我需要同一台机器上的另一个端口(例如10.100.10.101:8082)和另一个服务。如果我配置了另一个指向相同IP但具有不同端口的后端,即使我访问service1.domain.com,我也只能访问第二个服务(service2.domain.com)。
我的用例是我正在尝试设置Seafile,它将Web GUI的端口号为8000,将文件服务器的端口号为8082。现在,我可以访问Web GUI,但不能上载,下载或共享文件。
我的配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | # Automaticaly generated, dont edit manually. # Generated on: 2018-09-29 19:24 global maxconn 1000 stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 8192 server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared-frontend-merged bind X.X.X.X:443 name X.X.X.X:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 http-response set-header Strict-Transport-Security max-age=15768000 acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^\\.]*)\\.domain\\.com(:([0-9]){1,5})?$ acl ACL1 var(txn.txnhost) -m str -i test.domain.com acl ACL2 var(txn.txnhost) -m str -i service1.domain.com acl ACL3 var(txn.txnhost) -m str -i service2.domain.com http-request set-var(txn.txnhost) hdr(host) default_backend test.domain.com_ipv4 default_backend service1.domain.com_ipvANY default_backend service2.domain.com_ipvANY frontend http-to-https bind X.X.X.X:80 name X.X.X.X:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend test.domain.com_ipv4 mode http id 10100 log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip option httpchk GET / server testvm-server01 10.100.10.101:54080 id 10101 check inter 1000 backend service1.domain.com_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk GET / server seafile-vm-01 10.100.10.103:8000 id 101 check inter 1000 backend service2.domain.com_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk GET / server seafile-vm-02 10.100.10.103:8082 id 103 check inter 1000 |
如果有人能指出正确的方向,我将感到非常高兴,在此先感谢您,如果您需要更多信息,请告诉我。
最好的祝福,
生灵眼
我能够在reddit上一位出色的用户的帮助下解决我的问题。
第一个问题是我没有正确配置前端,因此有3个default_backends。 这就是每个服务都指向同一虚拟机的原因。 为了解决这个问题,我只需要添加与我的ACL名称相对应的if条件。
第二个问题是我的Service2在HAProxy统计信息页面上显示为DOWN。 我不得不将运行状况检查方法从HTTP更改为Basic,最终解决了所有问题。
这是工作配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | # Automaticaly generated, dont edit manually. # Generated on: 2018-10-02 16:59 global maxconn 1000 stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 8192 server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared-frontend-merged bind X.X.X.X:443 name X.X.X.X:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 http-response set-header Strict-Transport-Security max-age=15768000 acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^\\.]*)\\.domain\\.com(:([0-9]){1,5})?$ acl ACL1 var(txn.txnhost) -m beg -i test.domain.com acl ACL2 var(txn.txnhost) -m beg -i service1.domain.com acl ACL3 var(txn.txnhost) -m beg -i service2.domain.com http-request set-var(txn.txnhost) hdr(host) use_backend test.domain.com_ipv4 if ACL1 use_backend service1.domain.com_ipvANY if ACL2 use_backend service2.domain.com-seafhttp_ipvANY if ACL3 frontend http-to-https bind X.X.X.X:80 name X.X.X.X:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend test.domain.com_ipv4 mode http id 10100 log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip option httpchk GET / server testvm-server01 10.100.10.101:54080 id 10101 check inter 1000 backend service1.domain.com_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk GET / server seafile-vm-01 10.100.10.103:8000 id 101 check inter 1000 backend service2.domain.com-seafhttp_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 server seafile-vm-02 10.100.10.103:8082 id 103 check inter 1000 |
有关更多详细信息,请访问:https://www.reddit.com/r/PFSENSE/comments/9kezl3/pfsense_haproxy_reverse_proxy_with_multiple/?st=jmruoa9r&sh=26d24791
TLDR:我没有正确配置我的操作表,并进行了错误的健康检查。
问候,
生灵眼