使用 HAProxy 将 https 服务反向代理为 http
使用 HAProxy 可以将 https 的服务反向代理成 http,这样即使服务本身不好升级也能利用上 TLS 1.3 等更安全、高效的协议。
这里给出一个示例配置,server-template 中 6 为生成的 server 数量。日志输出可以按需调整。
global
maxconn 10000
log stderr format iso local7
ssl-default-bind-options ssl-min-ver TLSv1.3
defaults
timeout connect 100ms
timeout client 30s
timeout server 30s
mode http
maxconn 2000
frontend healthz
bind *:8402
monitor-url /healthz
frontend stats
bind *:8404
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /
stats refresh 5s
frontend http-in
bind *:80
log global
option httplog
use_backend proxy-%[req.hdr(host)],lower]
default_backend deny
resolver defdns
parse-resolv-conf
accepted_payload_size 8192
resolve_retries 3
timeout resolve 1s
timeout retry 2s
hold other 1h
hold refused 1h
hold nx 1h
hold timeout 1h
hold valid 60s
hold obsolete 30s
backend proxy-g.co
balance roundrobin
http-reuse always
server-template web 6 g.co:443 ssl verify required ca-file /etc/pki/tls/cert.pem check-sni g.co sni req.hdr(host) check inter 16s fastinter 2s resolvers defdns init-addr none
backend deny
http-request deny