【问题标题】:HAProxy doesn't recognize SSLHAProxy 无法识别 SSL
【发布时间】:2015-08-07 07:24:55
【问题描述】:

我在使用 HAProxy 和 OpenSSL 时遇到了一些问题。

由于我正在尝试使用处理 HTTPS 的负载平衡器创建云服务器,因此我想使用特定版本的 HAProxy 和 OpenSSL..

我的问题是,当我使用 Openssl 编译 OpenSSL 和 HAProxy 时,HAProxy 无法识别 SSL 功能。您会在下面找到我使用的不同命令。

编译 OpenSSL 1.0.2d

sudo apt-get -y install libssl-dev libpcre3 make
wget https://www.openssl.org/source/openssl-1.0.2d.tar.gz
tar xzvf openssl-1.0.2d.tar.gz
rm openssl-1.0.2d.tar.gz
cd openssl-1.0.2d
./config --prefic=/usr/local --openssldir=/usr/local/ssl --libdir=lib shared
make && make install

编译 HAProxy

sudo apt-get install build-essential libpcre3-dev
wget www.haproxy.org/download/1.5/src/haproxy-1.5.14.tar.gz
tar xzvf haproxy-1.5.14.tar.gz
rm haproxy-1.5.14.tar.gz
cd haproxy-1.5.14
make TARGET=linux26 CPU=generic USE_OPENSSL=1 USE_PCRE=1
make install
(apt-get install haproxy) <--- To get HAProxy as a service

然后,当我使用命令haproxy -vv 时,我得到:

HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux26
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

在这里,我们看到 HAProxy 正在使用 OpenSSL 运行,但是当我使用我的 haproxy.cfg 文件时:

global
    log localhost local0 notice
    maxconn 2048
    user haproxy
    group haproxy
    tune.ssl.default-dh-param 2048

defaults
    log global
    mode http
    option forwardfor
    option http-server-close
    retries 3
    option redispatch
    timeout connect     5000ms
    timeout client      50000ms
    timeout server      50000ms

frontend http-in
    bind *:80
    maxconn 2048
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    bind *:443 ssl crt /etc/ssl/private/certif.pem
    maxconn 2048
    reqadd X-Forwarded-Proto:\ https
    default_backend internalProxy

# Internal Proxys
backend internalProxy
    balance roundrobin
    # internal proxys

# Test
backend testExternalProxy
    errorfile 503 /root/haproxy/code202.http

# Statistics
listen stats *:8010
    mode http
    log global

    maxconn 10

    timeout connect 100s
    timeout client  100s
    timeout server  100s
    timeout queue       100s

    # Stat page, http://example.com:8010/stats
    stats enable
    stats hide-version
    stats refresh 10s
    stats show-node
    stats uri /stats
    stats realm Strictly\ Private
    stats auth username:password

我收到以下错误:

 * Starting haproxy haproxy                                                     
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:6] : unknown keyword 'tune.ssl.default-dh-param' in 'global' section
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:22] : 'redirect' expects 'code', 'prefix', 'location', 'set-cookie', 'clear-cookie', 'drop-query' or 'append-slash' (was 'scheme').
[ALERT] 218/022327 (1780) : parsing [/etc/haproxy/haproxy.cfg:25] : 'bind' only supports the 'transparent', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.
[ALERT] 218/022327 (1780) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 218/022327 (1780) : Fatal errors found in configuration.

它似乎无法识别 OpenSSL 功能.. 有没有人知道为什么???

提前致谢

【问题讨论】:

    标签: ubuntu ssl openssl haproxy


    【解决方案1】:

    我刚刚发现了问题。我必须修改启动脚本/etc/init.d/haproxy,告诉它新编译的haproxy二进制文件在哪里。

    我必须将这一行 HAPROXY=/usr/sbin/haproxy 更改为 HAPROXY=/usr/local/sbin/haproxy

    现在可以了.. =)

    【讨论】:

    • 我今天遇到了这个问题。对我来说,它与 init 脚本无关,但因为 haproxy 没有使用 openSSL 支持编译。 yum install openssl-devel,然后清理重新编译 haproxy 修复它
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2017-02-11
    • 1970-01-01
    • 1970-01-01
    • 2013-10-14
    • 1970-01-01
    • 1970-01-01
    • 2015-03-23
    相关资源
    最近更新 更多