mkdir /etc/ssl/xip.io [root@ha02 haproxy-1.4.26]# openssl genrsa -out /etc/ssl/xip.io/xip.io.key 1024 Generating RSA private key, 1024 bit long modulus ........++++++ ...........++++++ e is 65537 (0x10001) [root@ha02 haproxy-1.4.26]# openssl req -new -key /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家代码 State or Province Name (full name) []:china #省 Locality Name (eg, city) [Default City]:beijing #市 Organization Name (eg, company) [Default Company Ltd]:iseastar #公司名称 Organizational Unit Name (eg, section) []:iseastar #可以不写 Common Name (eg, your name or your server's hostname) []:iseastar #可以不写 Email Address []: #邮箱地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:
[root@ha02 haproxy-1.4.26]# openssl x509 -req -days 365 -in /etc/ssl/xip.io/xip.io.csr -signkey /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.crt Signature ok subject=/C=CN/ST=china/L=beijing/O=iseastar/OU=iseastar/CN=iseastar Getting Private key
这样就生成了下面的三个文件:
[root@ha02 haproxy-1.4.26]# tree /etc/ssl/xip.io/ /etc/ssl/xip.io/ ├── xip.io.crt ├── xip.io.csr └── xip.io.key 0 directories, 3 files
在创建了证书之后,我们需要创建pem文件。pem文件本质上只是将证书 密钥及证书中心证书(可有可无)拼接成一个文件。在我们在这里只是简单地将证书及密钥文以这个顺序拼接在起来创建xip.io.pen文件 。这就是HAProxy读取SSL证书首选的方式。
[root@ha02 haproxy-1.4.26]# cat /etc/ssl/xip.io/xip.io.crt /etc/ssl/xip.io/xip.io.key |tree /etc/ssl/xip.io/xip.io.pem /etc/ssl/xip.io/xip.io.pem [error opening dir] 0 directories, 0 files [root@ha02 haproxy-1.4.26]# ls /etc/ssl/xip.io/ xip.io.crt xip.io.csr xip.io.key 有报错,并没有生成.pem结尾的文件
后来细心看一下一个命命看错了应该是tee而不是tree
[root@ha02 haproxy-1.4.26]# cat /etc/ssl/xip.io/xip.io.crt /etc/ssl/xip.io/xip.io.key |tee /etc/ssl/xip.io/xip.io.pem -----BEGIN CERTIFICATE----- MIICRzCCAbACCQCp15MeAY6YFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJD TjEOMAwGA1UECAwFY2hpbmExEDAOBgNVBAcMB2JlaWppbmcxETAPBgNVBAoMCGlz ZWFzdGFyMREwDwYDVQQLDAhpc2Vhc3RhcjERMA8GA1UEAwwIaXNlYXN0YXIwHhcN MTYxMjE2MDUxMzM5WhcNMTcxMjE2MDUxMzM5WjBoMQswCQYDVQQGEwJDTjEOMAwG A1UECAwFY2hpbmExEDAOBgNVBAcMB2JlaWppbmcxETAPBgNVBAoMCGlzZWFzdGFy MREwDwYDVQQLDAhpc2Vhc3RhcjERMA8GA1UEAwwIaXNlYXN0YXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBANEKpgCx8Hd0J2gZd/YJRpqjac0nZNU29pyOpXbl VxOy9tUR4bHX6y7IDW/G297orwc2AIGetNVSYEVKTh6pCZz6H/E+FZG7+A2ftJ8I 823Hx7iW10Q1sP95UsYB2N0wd5AtKfywuv3Bjwe2nQj3R47+LuwABNnXS0mYp93y 4EkxAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEABd+XL1YdowVUWivoxki751bAdqpv L9WizV1LW0Whf4GWS10wnubXSOHqR3Ybcm9Nnq1adqoV1g8pcJMWGYk+JKjA+N+i tiiBSwvKw7kEC3/r2EH0vmVtv4TLcohTJrIil2WslPYcHVcWJX/HdgBD5yhSNp4D INwzh2GWxZ2HAE8= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDRCqYAsfB3dCdoGXf2CUaao2nNJ2TVNvacjqV25VcTsvbVEeGx 1+suyA1vxtve6K8HNgCBnrTVUmBFSk4eqQmc+h/xPhWRu/gNn7SfCPNtx8e4ltdE NbD/eVLGAdjdMHeQLSn8sLr9wY8Htp0I90eO/i7sAATZ10tJmKfd8uBJMQIDAQAB AoGAc8J10wS2qS/FcrxH1hOk6ZV8zYL3L6tUPbYwovq1kc8VKUDRvu5W6n0WE8QH lhU8d73L4fvFICyR600OnaP2EdtslR0BLwR0r55PMGxm6hpE5KI8N3nrxRQSkbPs u8o9rS9IaWXjKk5gYcrTQTfGuaez4TzsUtQr/oVJfviZ25ECQQDxq/ZpTzbr6TFH V+iLFI3dwz6wH72DTFPo5FrZ+s7VTuuYi8mb1LDxXFxWKCgaD1vAZf8hFddXthjA 20Kk7+DXAkEA3W9u7VWa6C85NbGQ6VH6AVSk9uDgzWafxWw0in3tdsV/VEZxu3PF iXFHVHUhy4dc7UZksl7GACtkPiMV6iJ9NwJBAJpNZYNPpI1z0pbutfc3JG1XYAsr +OCAN4MXajqLPMxNG3fGqO7qGh/BDOOluBULgVWSyhbhzyCdj6hzVlXhIvkCQF2k mVGO6TKVfekiDXlOLJ7Rb+3jjc3vP1Pa/aEvvfODc+Rs4f326KvGFvc1jbQnq3nA UidIgw1hTEQmzEa2jSMCQGDoM8ginUV7o33WcKLog5arhYFVOXuZi478GAhtauX9 Dcv8CRWpfdi3LuOM8yCRWDEyPfBw+3CfIBlXjVBkD7w= -----END RSA PRIVATE KEY----- [root@ha02 haproxy-1.4.26]# tree /etc/ss ssh/ ssl/ [root@ha02 haproxy-1.4.26]# tree /etc/ssl/xip.io/ /etc/ssl/xip.io/ ├── xip.io.crt ├── xip.io.csr ├── xip.io.key └── xip.io.pem 0 directories, 4 files
当购买真正的证书时,你不一定会获取并接后的文件。可能需要自己拼接生成,但也有机构提供拼接好的文件 给你。但可能不是pem文件,而是dundel ,cert, cert, key文件或一些相同概念但名称类似的文件。
pem文件是HAProxy只需简单配置就可以处理SSLL连接了。
要在HAProxy使用SSL连接 ,我们现在就可以添加校准SSL端口443的绑定,并让HAProxy知道SSL证书的位置 :
stats admin if TRUE | stats admin if TRUE mode http | mode http #server sshd 192.168.1.104:22 check port 22 inter | #server sshd 192.168.1.104:22 check port 22 inter | frontend app01_www.app01.com:8010 | frontend app01_www.app01.com:8010 bind *:8010 | bind *:8010 bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | --------------------------------------------------------- timeout client 8h | timeout client 8h mode http | mode http default_backend server_app01 | default_backend server_app01 backend server_app01 | backend server_app01 mode http | mode http timeout server 8h | timeout server 8h cookie SERVERID insert nocache | cookie SERVERID insert nocache server app01 10.100.0.37:8010 check port 8010 rise| server app01 10.100.0.37:8010 check port 8010 ris frontend app02_www.app02.com:8020 | frontend app02_www.app02.com:8020 bind *:8020 | bind *:8020 bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | --------------------------------------------------------- timeout client 8h | timeout client 8h mode http | mode http default_backend server_app02 | default_backend server_app02 backend server_app02 | backend server_app02 mode http | mode http timeout server 8h | timeout server 8h + +-- 2 lines: cookie SERVERID insert nocache--------------|+ +-- 2 lines: cookie SERVERID insert nocache-------------
看看下在的改动只是加了一行代码:
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
上面的配置可以支持https也支持http
下面只支持https,看一下这三个文件的不同:
+ +-- 30 lines: global--------------------------------------|+ +-- 30 lines: global------------------------------------- mode http | mode http #server sshd 192.168.1.104:22 check port 22 inter | #server sshd 192.168.1.104:22 check port 22 inter | frontend app01_www.app01.com:8010 | frontend app01_www.app01.com:8010 bind *:8010 | bind *:8010 bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem redirect scheme https if !{ ssl_fc } | --------------------------------------------------------- timeout client 8h | timeout client 8h mode http | mode http default_backend server_app01 | default_backend server_app01 backend server_app01 | backend server_app01 mode http | mode http timeout server 8h | timeout server 8h cookie SERVERID insert nocache | cookie SERVERID insert nocache server app01 10.100.0.37:8010 check port 8010 rise| server app01 10.100.0.37:8010 check port 8010 ris frontend app02_www.app02.com:8020 | frontend app02_www.app02.com:8020 bind *:8020 | bind *:8020 redirect scheme https if !{ ssl_fc } | --------------------------------------------------------- bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem timeout client 8h | timeout client 8h mode http | mode http default_backend server_app02 | default_backend server_app02 backend server_app02 | backend server_app02 mode http | mode http + +-- 3 lines: timeout server 8h---------------------------|+ +-- 3 lines: timeout server 8h--------------------------
前左边的只支持https右边是支持https和http