Haproxy 實現部分域名使用https，其他域名正常使用

要求：

1、Haproxy必須是需要1.5以上的版本才會支持ssl證書
2、要使用ssl模塊，必須要安裝openssl軟件，版本要注意符合要求

openssl的安裝

tar zxf openssl-0.9.8zh.tar.gz
cd openssl-0.9.8zh
./config enable-tlsext --prefix=/usr/local/openssl  no-shared
make && make install_sw
#以上安裝不影響系統中的openssl版本，主要就是打開openssl的TLS SNI功能
也可以通過yum的方式去安裝openssl

Haproxy的安裝配置

這里可以使用yum的方式安裝，也可以下載二進制包安裝：安裝方便百度就可以

Haproxy的配置文件

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        #log loghost    local0 info
        maxconn 20480
        uid 99
        gid 99
        #daemon
        tune.ssl.default-dh-param 2048
        debug
        #quiet
        #pidfile /usr/local/haproxy/run/haproxy.pid
        #nbproc 2 
defaults
        log     global
        mode    http
        option  httplog
        option  httpclose
        option  forwardfor
        option  dontlognull
        option  redispatch
        option  originalto
       #option  abortonclose
        balance roundrobin
       #balance leastconn
       #balance source

        stats refresh 30
        retries 3

        timeout connect 5000
        timeout client 2400000
        timeout server 2400000
        timeout check 5000
listen admin_status
       bind 0.0.0.0:81
       mode http
       log 127.0.0.1 local3 err
       stats refresh 30s
       stats uri /haproxy-stats
       stats realm Welcome CJWL \CJWL
       stats auth admin:wangguan
       stats hide-version
       stats admin if TRUE

 errorfile 403 /usr/local/haproxy/errorfiles/403.http
 errorfile 500 /usr/local/haproxy/errorfiles/500.http
 errorfile 502 /usr/local/haproxy/errorfiles/502.http
 errorfile 503 /usr/local/haproxy/errorfiles/503.http
 errorfile 504 /usr/local/haproxy/errorfiles/504.http
  frontend http_80_in
       bind 0.0.0.0:80,0.0.0.0:7070,0.0.0.0:7777
      #redirect scheme https if !{ ssl_fc }  把這行開啟后，就表示所有http的訪問都會自動走ssl證書，跳轉走https
      # bind 0.0.0.0:4443 ssl crt /usr/local/haproxy/etc/ssl/haproxy.pem~~
       bind 0.0.0.0:443  ssl crt /etc/haproxy/ssl/server.pem
      #reqadd X-Forwarded-Proto:\ https  
acl testcoms_p    hdr_dom(host) -i testcoms.changjiu56.com
       acl ssl  hdr_reg(host) -i ^(kesungang.changjiu56.com)$
       redirect scheme https code 301 if !{ ssl_fc }  ssl
       acl kesungang_p  hdr_dom(host) -i kesungang.xxxx.com
       acl cpstest_p     hdr_dom(host) -i ^(cpstest.xxx.com)$
       acl recapicpstest_p     hdr_dom(host) -i ^(rec.api.cpstest.xxxx.com)$
       acl g7_ip         src 121.2xx.0.0/16 117.50.xxx.0/24

       use_backend testcoms.xxxx.com       if testcoms_p
       use_backend kesungang.xxxx.com       if kesungang_p
       use_backend bmwpdatest.xxxx.com     if bmwpdatest_p
       use_backend bmwpda.xxxx.com         if bmwpda_p
       use_backend srm.xxxx.com            if srm_p
       use_backend coms.xxx.com           if coms_p
#backend wmsims.xxxxx.com
#       mode http
#       balance source
#       option httpchk GET /test/test.html
#       server 10.0.3.111:80 10.0.3.111:80 maxconn 5000 check inter 2000 rise 2 fall 3
#       http-request set-header X-Forwarded-Port %[dst-Port]
#       http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend kesungang.xxxx.com
        balance source
        #redirect scheme https if !{ ssl_fc }
        server 10.0.3.78:80 10.0.3.78:80 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

backend testcoms.xxxx.com
       balance source
       #option httpchk GET /HealthCheck.html

如果只讓一個域名走ssl證書配置

1、在frontend 默認80里面把redirect scheme https if !{ ssl_fc }注釋掉
2、配置acl規則如下
`acl ssl hdr_reg(host) -i ^(kesungang.xxx.com)$
redirect scheme https code 301 if !{ ssl_fc } ssl

acl kesungang_p hdr_dom(host) -i kesungang.xxxx.com
`

多個域名，多個ssl證書配置

frontend http_server
bind :80
bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem
#按照如上規則如果多個站點就可以使用同樣的規則 bind :443 ssl crt $filepath crt $file2path crt $file3path

    mode http

    acl ssl  hdr_reg(host) -i ^(www.test.com|admin.test.com|passport.abc.com)$
    redirect scheme https code 301 if !{ ssl_fc }  ssl
    #對以上站點進行https跳轉
    #在某些情況下，在特定頁面需要進行跳轉，則
    acl ssl_site hdr_reg(host) -i ^(
    acl ssl_path path_beg -i /Login /Pay/Pay.aspx
    redirect scheme https code 301 if !{ ssl_fc }  ssl_site ssl_path
    redirect scheme http code 301 if { ssl_fc }  ssl_site !ssl_path
    #只在/loign /Pay/Pay.aspx頁面進行跳轉，其他頁面使用http

    acl wwwtest_com hdr_reg(host) -i ^(www.test.com)$
    use_backend www_test_com if wwwtest_com { ssl_fc_sni www.test.com }
    #這里就是證書的對應部分，如
    acl admintest_com hdr_dom(host) -i admin.test.com
    use_backend admin_test_com if admintest_com { ssl_fc_sni admin.test.com } 
    acl passportabc_com hdr_dom(host) -i passport.abc.com
    use_backend pasport_abc_com if passport_abc_com { ssl_fc_sni passport.abc.com }

    backend www_test_com
        server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1
    backend admin_test_com
        server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1
    backend passport_abc_com
        server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1