haproxy可以实现https的证书安全,但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现

第一种方式:从用户到haproxy为https,从happroxy到后端服务器用http通信

alt

#haproxy
[root@localhost ~]# yum install haproxy -y
[root@localhost ~]# mkdir /etc/haproxy/certs/
[root@localhost ~]# cd /etc/haproxy/certs/
[root@localhost certs]# openssl genrsa -out haproxy.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
...........................+++
e is 65537 (0x10001)
[root@localhost certs]# openssl req -new -x509 -key haproxy.key -out haproxy.crt -subj "/CN=www.wswj.com"
[root@localhost certs]# cat haproxy.key haproxy.crt > haproxy.pem
[root@localhost certs]# openssl x509 -in haproxy.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a0:8f:0d:31:85:cb:fb:96
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=www.wswj.com
        Validity
            Not Before: Dec 20 12:51:28 2021 GMT
            Not After : Jan 19 12:51:28 2022 GMT
        Subject: CN=www.wswj.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d2:86:6f:1f:a7:58:c9:ea:4e:05:95:29:62:73:
                    64:88:ca:de:00:1b:5d:3d:ab:c4:98:9d:0b:09:95:
                    a7:79:5f:7c:b5:07:00:47:cb:48:1a:10:68:29:da:
                    03:9a:ff:6f:a1:8f:9d:a9:ca:c5:c6:3c:7f:48:b7:
                    0c:8e:e4:d4:e5:2c:c9:d1:5d:d5:51:18:43:44:00:
                    4c:1a:85:8b:7d:22:b7:7a:c4:ed:b0:4f:69:20:63:
                    cd:95:54:0c:9a:be:fd:33:95:7c:25:01:f3:7a:13:
                    e4:80:b1:d3:69:60:df:f5:f9:b0:b8:b5:ee:ac:79:
                    11:19:d0:5f:36:a9:8d:7b:f1:a9:88:8b:9c:4e:7c:
                    9a:bd:ae:ac:c2:11:19:c0:de:c4:1f:cb:a9:3c:e8:
                    95:fa:0c:e8:d4:85:d1:53:f5:56:6c:fe:2e:62:b4:
                    d7:08:95:01:7a:ce:ab:61:b3:fb:63:0d:c4:ce:39:
                    f1:db:29:25:06:95:b8:4a:01:c0:70:a3:aa:92:f7:
                    7b:9a:be:54:2e:3c:ab:af:5b:b0:a1:60:06:fa:2c:
                    66:c8:2d:f5:52:f9:7a:ad:83:1a:0b:12:f7:2d:43:
                    7e:a3:2f:f9:a0:75:de:fb:65:ac:0d:fa:29:a0:41:
                    58:6c:65:16:47:17:c3:63:ad:e2:84:98:fd:94:6b:
                    11:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9E:3F:DA:AB:D9:66:71:3F:C0:51:76:D4:C7:74:F0:FC:0B:ED:05:8D
            X509v3 Authority Key Identifier:
                keyid:9E:3F:DA:AB:D9:66:71:3F:C0:51:76:D4:C7:74:F0:FC:0B:ED:05:8D

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         8c:3b:50:c2:f9:64:82:d2:a8:0a:d7:0b:93:5a:b3:05:73:92:
         83:34:63:85:e4:16:ec:18:d6:94:05:bb:56:1a:77:13:f5:0b:
         4c:1d:7b:03:ca:6a:aa:d1:01:b3:dd:24:16:41:c4:ff:e0:63:
         73:7f:58:58:1e:c8:20:3a:a7:a5:b2:2e:d8:a1:49:89:a1:e8:
         f5:7b:46:4b:ad:e7:e5:e6:bf:97:5d:bd:38:b5:e3:7b:2b:f6:
         8e:9b:df:bc:16:d8:e1:ce:c4:15:b9:ff:1c:1c:f6:7c:0d:01:
         0b:bc:d1:e3:57:d8:8d:82:81:e0:8a:a3:db:1d:63:3b:5d:ae:
         9b:2a:c5:4c:cf:74:cb:af:22:3d:de:db:36:84:47:3f:46:e2:
         63:7b:28:e6:3e:67:df:e1:44:2d:3f:32:db:ef:1d:e3:9e:eb:
         bb:c7:b2:f4:f8:7e:fe:c3:b4:ef:13:24:6e:d8:b5:38:5a:53:
         71:b9:87:fe:c4:2d:a3:9c:f0:bd:40:87:a6:a9:ae:7f:07:ab:
         38:9c:e5:ee:c2:ba:c6:c8:0a:9e:cf:6f:18:44:66:5d:60:19:
         dd:62:19:e8:0d:08:7f:4b:0b:76:db:c6:d5:c7:ba:09:6d:a7:
         41:4d:87:a2:5e:27:09:b8:1c:c4:c6:91:58:f2:5b:c6:a2:88:
         26:ec:f9:7a
[root@localhost certs]# vim /etc/haproxy/haproxy.cfg
frontend  wswj_http
  bind 10.0.0.7:80
  bind 10.0.0.7:443 ssl crt /etc/haproxy/certs/haproxy.pem
  redirect scheme https if !{ ssl_fc }   
  http-request set-header X-forwarded-Port  %[dst_port]
  http-request add-header X-forwarded-Proto https if { ssl_fc }
  mode http
  balance roundrobin
  use_backend webs
backend webs
  mode http
  server ng1 172.16.1.101:80 check inter 2000 fall 3 rise 5
  server ng2 172.16.1.100:80 check inter 2000 fall 3 rise 5

[root@localhost haproxy]# systemctl restart haproxy.service

第二种方式:从用户到haproxy走tcp 模式,从happroxy到后端服务器也走tcp通信

alt

#配置文件
[root@localhost  ]# vim /etc/haproxy/haproxy.cfg

frontend  wswj_http
  bind *:443
  balance roundrobin
  mode tcp
  use_backend webs

backend webs
  mode tcp
  server web1 172.16.1.100:443 check inter 2000 fall 3 rise 5
  server web2 172.16.1.101:443 check inter 2000 fall 3 rise 5