Appearance
HAProxy SSL 配置
启用 HTTPS
方式一:前端终止 SSL
frontend https_front
bind *:443 ssl crt /etc/ssl/certs/server.pem
mode http
default_backend web_servers
frontend http_front
bind *:80
mode http
http-request redirect scheme https if !{ ssl_fc }方式二:合并证书 (crt)
bash
# 合并证书和私钥
cat server.crt server.key > /etc/ssl/certs/server.pem
chmod 600 /etc/ssl/certs/server.pem证书配置参数
bind *:443 ssl crt /etc/ssl/certs/mycert.pem ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 no-sslv3 no-tlsv10 no-tlsv11HSTS 配置
在 frontend 或 backend 中添加响应头:
http-response set-header Strict-Transport-Security max-age=31536000验证证书配置
bash
# 测试配置文件
haproxy -c -f /etc/haproxy/haproxy.cfg
# 查看证书信息
echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -datesLet's Encrypt 自动续期
配合 certbot 使用:
bash
# 证书位置
/etc/letsencrypt/live/domain/fullchain.pem
/etc/letsencrypt/live/domain/privkey.pem
# 合并
cat /etc/letsencrypt/live/domain/fullchain.pem /etc/letsencrypt/live/domain/privkey.pem > /etc/ssl/certs/domain.pem后端服务器 SSL 验证
如果后端也是 HTTPS:
backend web_servers
mode http
server web1 192.168.1.10:443 ssl verify required ca-file /etc/ssl/certs/ca-bundle.crt
server web2 192.168.1.11:443 ssl verify required ca-file /etc/ssl/certs/ca-bundle.crt常用 SSL 加密套件
禁用不安全的老旧加密套件:
bind *:443 ssl crt /path/to/cert.pem \
no-sslv3 \
no-tlsv10 \
no-tlsv11 \
no-tlsv12 \
ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384