发送代理在 ssl-passthrough haproxy 上失败
Send-proxy fails on ssl-passthrough haproxy
我想在 Haproxy 上使用 ssl-passthrough 将流量路由到 traefik。
这行得通,但是我想知道发出请求的人的 ip。 haproxy 文档说我必须使用发送代理。这适用于 http,但不适用于 https。 Traefik 启用了代理协议。
Firefox 报告 SSL_ERROR_RECORD_OVERFLOW_ALERT
Chrome 说 ERR_SSL_PROTOCOL_ERROR
Traefik 日志显示:
msg="http: TLS handshake error from haproxy_ip:51206: tls: oversized record received with length 22617"
我是否遗漏了配置中的某些内容?
我的 haproxy 配置:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
option tcplog
mode tcp
timeout connect 1s
timeout client 20s
timeout server 20s
timeout client-fin 20s
timeout tunnel 1h
#option httplog
#option dontlognull
#timeout connect 5000
#timeout client 50000
#timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:80
option http-server-close
option forwardfor
default_backend http_back
backend http_back
balance roundrobin
server private_server private_ip:80 send-proxy
frontend https_front
bind *:443
mode tcp
option tcp-check
default_backend https_back
backend https_back
balance source
mode tcp
option ssl-hello-chk
server private_server private_ip:8080 send-proxy
Traefik 配置:
debug = false
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.http.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "private_ip"]
#insecure = true
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "dartsresults.nl"
watch = true
exposedByDefault = false
这应该是 [entrypoints.https.proxyProtocol] 中的 "https",如:
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "private_ip"]
关于在 TOML 中使用表格的信息:https://github.com/toml-lang/toml#table
我想在 Haproxy 上使用 ssl-passthrough 将流量路由到 traefik。 这行得通,但是我想知道发出请求的人的 ip。 haproxy 文档说我必须使用发送代理。这适用于 http,但不适用于 https。 Traefik 启用了代理协议。
Firefox 报告 SSL_ERROR_RECORD_OVERFLOW_ALERT
Chrome 说 ERR_SSL_PROTOCOL_ERROR
Traefik 日志显示:
msg="http: TLS handshake error from haproxy_ip:51206: tls: oversized record received with length 22617"
我是否遗漏了配置中的某些内容?
我的 haproxy 配置:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
option tcplog
mode tcp
timeout connect 1s
timeout client 20s
timeout server 20s
timeout client-fin 20s
timeout tunnel 1h
#option httplog
#option dontlognull
#timeout connect 5000
#timeout client 50000
#timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:80
option http-server-close
option forwardfor
default_backend http_back
backend http_back
balance roundrobin
server private_server private_ip:80 send-proxy
frontend https_front
bind *:443
mode tcp
option tcp-check
default_backend https_back
backend https_back
balance source
mode tcp
option ssl-hello-chk
server private_server private_ip:8080 send-proxy
Traefik 配置:
debug = false
logLevel = "DEBUG"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.http.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "private_ip"]
#insecure = true
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "dartsresults.nl"
watch = true
exposedByDefault = false
这应该是 [entrypoints.https.proxyProtocol] 中的 "https",如:
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "private_ip"]
关于在 TOML 中使用表格的信息:https://github.com/toml-lang/toml#table