前面讲到,使用Nginx实现多域名证书HTTPS(http://fengwan.blog.51cto.com/508652/1719708),通过重新编译Nginx实现TLS SNI Support打开,那么使用Haproxy如何实现呢?
要求:
Haproxy必须要1.5以上的版本
第一步:openssl的安装
1
2
3
4
5
|
tar
zxf openssl-0.9.8zh.
tar
.gz
cd
openssl-0.9.8zh
.
/config
enable
-tlsext --prefix=
/usr/local/openssl
no-shared
make
&&
make
install_sw
#以上安装不影响系统中的openssl版本,主要就是打开openssl的TLS SNI功能
|
第二步:Haproxy的安装
1
2
3
4
5
|
tar
zxf haproxy-1.5.15.
tar
.gz
cd
haproxy-1.5.15
make
TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64 PREFIX=
/usr/local/haproxy1
.5.15 SSL_INC=
/usr/local/openssl/include
SSL_LIB=
/usr/local/openssl/lib
ADDLIB=-ldl
make
TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64 PREFIX=
/usr/local/haproxy1
.5.15 SSL_INC=
/usr/local/openssl/include
SSL_LIB=
/usr/local/openssl/lib
ADDLIB=-ldl
install
#记得上面要指定openssl的地址,haproxy没有config这步
|
第三步:生成证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[root@gz122haproxy95 ~]
# mkdir ~/keys
[root@gz122haproxy95 keys]
# cd ~/keys
[root@gz122haproxy95 keys]
# openssl genrsa -out passport.abc.com.key 2048
[root@gz122haproxy95 keys]
# openssl req -new -key passport.abc.com.key -out passport.abc.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
#国家
State or Province Name (full name) [Berkshire]:GuangDong
#省份
Locality Name (eg, city) [Newbury]:ShenZhen
#城市
Organization Name (eg, company) [My Company Ltd]:Test.Inc
#公司名称
Organizational Unit Name (eg, section) []:passport.abc.com
#组织名称
Common Name (eg, your name or your server's
hostname
) []:passport.abc.com
#域名
Email Address []:passport@abc.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@gz122haproxy95 keys]
# openssl x509 -req -days 3650 -in passport.abc.com.csr -signkey passport.abc.com.key -out passport.abc.com.crt
[root@gz122haproxy95 keys]
# cat passport.abc.com.crt passport.abc.com.key |tee passport.abc.com.pem
|
按照以上方法依次生成www.test.com admin.abc.com的证书文件,每个站点最后会有一个pem文件生成
配置Haproxy的配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
frontend http_server
bind :80
bind :443 ssl crt
/etc/haproxy/keys/www
.
test
.com.pem crt
/etc/haproxy/keys/admin
.
test
.com.pem crt
/etc/haproxy/keys/passport
.abc.com.pem
#按照如上规则如果多个站点就可以使用同样的规则 bind :443 ssl crt $filepath crt $file2path crt $file3path
mode http
acl ssl hdr_reg(host) -i ^(www.
test
.com|admin.
test
.com|passport.abc.com)$
redirect scheme https code 301
if
!{ ssl_fc } ssl
#对以上站点进行https跳转
#在某些情况下,在特定页面需要进行跳转,则
acl ssl_site hdr_reg(host) -i ^(
acl ssl_path path_beg -i
/Login
/Pay/Pay
.aspx
redirect scheme https code 301
if
!{ ssl_fc } ssl_site ssl_path
redirect scheme http code 301
if
{ ssl_fc } ssl_site !ssl_path
#只在/loign /Pay/Pay.aspx页面进行跳转,其他页面使用http
acl wwwtest_com hdr_reg(host) -i ^(www.
test
.com)$
use_backend www_test_com
if
wwwtest_com { ssl_fc_sni www.
test
.com }
#这里就是证书的对应部分,如
acl admintest_com hdr_dom(host) -i admin.
test
.com
use_backend admin_test_com
if
admintest_com { ssl_fc_sni admin.
test
.com }
acl passportabc_com hdr_dom(host) -i passport.abc.com
use_backend pasport_abc_com
if
passport_abc_com { ssl_fc_sni passport.abc.com }
backend www_test_com
server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1
backend admin_test_com
server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1
backend passport_abc_com
server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1
|
按照以上配置就可以实现多证书的HTTPS,依次访问上面的访问会发现,相关的证书与之配对。
本文转自 rong341233 51CTO博客,原文链接:http://blog.51cto.com/fengwan/1719863