如何使用 SSL 将 haproxy 放在 socket.io 前面?获取混合内容警告
How to put haproxy in front of socket.io with SSL? Getting Mixed content warning
一直在用这个setting把haproxy放在node.js和socket.io前面。
haproxy设置中的部分代码:
frontend wwws
bind 0.0.0.0:443 ssl crt /etc/haproxy/ovee.pem
timeout client 1h
default_backend www_backend
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend websocket_backend if is_websocket
tcp-request inspect-delay 500ms
tcp-request content accept if HTTP
use_backend flashsocket_backend if !HTTP
frontend flash_policy
bind 0.0.0.0:843
timeout client 5s
default_backend nodejs_flashpolicy
backend www_backend
balance roundrobin
option forwardfor
server apache2 apache-backend:3001 weight 1 maxconn 1024 check
timeout connect 5s
timeout http-request 3s
timeout server 25s
backend websocket_backend
mode http
option forwardfor
option http-server-close
option forceclose
no option httpclose
server server1 socket-backend:3000 weight 1 maxconn 16384 check
nodeServer.js
var fs = require('fs');
var express = require('express'),
app = express(),
http = require('http').createServer(app),
io = require("socket.io").listen(http),
它似乎在第一次连接时运行良好,但随后浏览器阻止了 Mixed Content 的所有套接字连接尝试。
The page at 'https://domain.com/391' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint
'http://domain.com:3000/socket.io/?EIO=3&transport=polling&t=1456666556035-0'.
This request has been blocked; the content must be served over HTTPS.
我知道这是因为我与 socket.io 的连接是通过 Http 而不是 Https
client.js
socket = io.connect('http://domain.com:3000', {
'force new connection': false,
'reconnection delay': 500,
'max reconnection attempts': 10
}),
我已经尝试为 nodeServer.js 使用 SSL,但是它没有连接到套接字,而且我认为没有必要,因为我正在使用 haproxy 进行所有转发:
在nodeServer.js中,我改为:
var fs = require('fs'),
sslOption = {
key: fs.readFileSync('/ssl/crt/zz.key'),
cert: fs.readFileSync('/ssl/crt/zz.crt'),
ca: fs.readFileSync('/ssl/crt/zz-ca.crt'),
requestCert: true
},
express = require('express'),
app = express(),
https = require('https').createServer(app),
io = require("socket.io").listen(https),
client.js
socket = io.connect('https://domain.com:3000', {
'force new connection': false,
'reconnection delay': 500,
'max reconnection attempts': 10
}),
有没有人把haproxy放在node.js和socket.io前面?我应该使用什么从 client.js 连接到 socket.io?
我已经以某种方式解决了这个问题。我不应该在 client.js 中使用 https:domain.com:3000。我应该让 haproxy 做 SSL 转发。这是我使 SSL 与 socket.io 一起工作的设置。我希望可能偶然发现它的人会更正任何过时或错误的内容:
frontend www
bind 0.0.0.0:80
mode http
timeout client 5s
redirect scheme https if !{ ssl_fc }
acl is_socket hdr(Upgrade) -i WebSocket
acl is_socket hdr_beg(Host) -i wss
use_backend socket if is_socket
frontend www-https
bind 0.0.0.0:443 ssl crt /ssl/domain.pem
timeout client 1h
### Set up a check to identify the connection url initated by socket.io https://domain.com/socket.io/?EIO=3&transport=polling&t=1441877956651, if matched, forward to node backend
acl is_node path_beg /socket.io/
use_backend node if is_websocket
### I'm not sure if this one is necessary for wss://domain.com
acl is_websocket2 hdr(Upgrade) -i WebSocket
acl is_websocket2 hdr_beg(Host) -i ws
use_backend socket if is_websocket2
default_backend apache2
tcp-request inspect-delay 500ms
tcp-request content accept if HTTP
use_backend flashsocket_backend if !HTTP
frontend flash_policy
bind 0.0.0.0:843
timeout client 5s
default_backend nodejs_flashpolicy
### setting for apache, skipped because it's not the focus of the question
backend apache
###
backend flashsocket_backend
server server1 ipaddress:3000 weight 1 maxconn 16384 check
backend nodejs_flashpolicy
server server1 ipaddress:10843 maxconn 16384 check
backend node
mode http
timeout server 1h
timeout connect 1s
option httpclose
option forwardfor
server server1 ipaddress:3000 weight 1 maxconn 1024 check
backend socket
balance roundrobin
option forwardfor
option httpclose
timeout queue 5000
timeout server 86400000
timeout connect 86400000
server server1 127.0.0.1:9000 weight 1 maxconn 1024 check
然后在client.js,我把连接地址改成了:
socket = io.connect('https://domain.com', {
'force new connection': false,
'reconnection delay': 500,
'max reconnection attempts': 10,
})
使用“https://domain.com' instead of 'http://domain.com:3000”以便连接首先传递给 ha-proxy。
nodeServer.js 中不需要更改任何内容。继续使用 http,Haproxy 将为您完成所有 SSL 转发。
var fs = require('fs'),
express = require('express'),
app = express(),
http = require('http').createServer(app),
io = require("socket.io").listen(http),
一直在用这个setting把haproxy放在node.js和socket.io前面。
haproxy设置中的部分代码:
frontend wwws
bind 0.0.0.0:443 ssl crt /etc/haproxy/ovee.pem
timeout client 1h
default_backend www_backend
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend websocket_backend if is_websocket
tcp-request inspect-delay 500ms
tcp-request content accept if HTTP
use_backend flashsocket_backend if !HTTP
frontend flash_policy
bind 0.0.0.0:843
timeout client 5s
default_backend nodejs_flashpolicy
backend www_backend
balance roundrobin
option forwardfor
server apache2 apache-backend:3001 weight 1 maxconn 1024 check
timeout connect 5s
timeout http-request 3s
timeout server 25s
backend websocket_backend
mode http
option forwardfor
option http-server-close
option forceclose
no option httpclose
server server1 socket-backend:3000 weight 1 maxconn 16384 check
nodeServer.js
var fs = require('fs');
var express = require('express'),
app = express(),
http = require('http').createServer(app),
io = require("socket.io").listen(http),
它似乎在第一次连接时运行良好,但随后浏览器阻止了 Mixed Content 的所有套接字连接尝试。
The page at 'https://domain.com/391' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint
'http://domain.com:3000/socket.io/?EIO=3&transport=polling&t=1456666556035-0'.
This request has been blocked; the content must be served over HTTPS.
我知道这是因为我与 socket.io 的连接是通过 Http 而不是 Https
client.js
socket = io.connect('http://domain.com:3000', {
'force new connection': false,
'reconnection delay': 500,
'max reconnection attempts': 10
}),
我已经尝试为 nodeServer.js 使用 SSL,但是它没有连接到套接字,而且我认为没有必要,因为我正在使用 haproxy 进行所有转发:
在nodeServer.js中,我改为:
var fs = require('fs'),
sslOption = {
key: fs.readFileSync('/ssl/crt/zz.key'),
cert: fs.readFileSync('/ssl/crt/zz.crt'),
ca: fs.readFileSync('/ssl/crt/zz-ca.crt'),
requestCert: true
},
express = require('express'),
app = express(),
https = require('https').createServer(app),
io = require("socket.io").listen(https),
client.js
socket = io.connect('https://domain.com:3000', {
'force new connection': false,
'reconnection delay': 500,
'max reconnection attempts': 10
}),
有没有人把haproxy放在node.js和socket.io前面?我应该使用什么从 client.js 连接到 socket.io?
我已经以某种方式解决了这个问题。我不应该在 client.js 中使用 https:domain.com:3000。我应该让 haproxy 做 SSL 转发。这是我使 SSL 与 socket.io 一起工作的设置。我希望可能偶然发现它的人会更正任何过时或错误的内容:
frontend www
bind 0.0.0.0:80
mode http
timeout client 5s
redirect scheme https if !{ ssl_fc }
acl is_socket hdr(Upgrade) -i WebSocket
acl is_socket hdr_beg(Host) -i wss
use_backend socket if is_socket
frontend www-https
bind 0.0.0.0:443 ssl crt /ssl/domain.pem
timeout client 1h
### Set up a check to identify the connection url initated by socket.io https://domain.com/socket.io/?EIO=3&transport=polling&t=1441877956651, if matched, forward to node backend
acl is_node path_beg /socket.io/
use_backend node if is_websocket
### I'm not sure if this one is necessary for wss://domain.com
acl is_websocket2 hdr(Upgrade) -i WebSocket
acl is_websocket2 hdr_beg(Host) -i ws
use_backend socket if is_websocket2
default_backend apache2
tcp-request inspect-delay 500ms
tcp-request content accept if HTTP
use_backend flashsocket_backend if !HTTP
frontend flash_policy
bind 0.0.0.0:843
timeout client 5s
default_backend nodejs_flashpolicy
### setting for apache, skipped because it's not the focus of the question
backend apache
###
backend flashsocket_backend
server server1 ipaddress:3000 weight 1 maxconn 16384 check
backend nodejs_flashpolicy
server server1 ipaddress:10843 maxconn 16384 check
backend node
mode http
timeout server 1h
timeout connect 1s
option httpclose
option forwardfor
server server1 ipaddress:3000 weight 1 maxconn 1024 check
backend socket
balance roundrobin
option forwardfor
option httpclose
timeout queue 5000
timeout server 86400000
timeout connect 86400000
server server1 127.0.0.1:9000 weight 1 maxconn 1024 check
然后在client.js,我把连接地址改成了:
socket = io.connect('https://domain.com', {
'force new connection': false,
'reconnection delay': 500,
'max reconnection attempts': 10,
})
使用“https://domain.com' instead of 'http://domain.com:3000”以便连接首先传递给 ha-proxy。
nodeServer.js 中不需要更改任何内容。继续使用 http,Haproxy 将为您完成所有 SSL 转发。
var fs = require('fs'),
express = require('express'),
app = express(),
http = require('http').createServer(app),
io = require("socket.io").listen(http),