使用 HAProxy 可以将 https 的服务反向代理成 http,这样即使服务本身不好升级也能利用上 TLS 1.3 等更安全、高效的协议。

这里给出一个示例配置,server-template 中 6 为生成的 server 数量。日志输出可以按需调整。

global
  maxconn 10000
  log stderr format iso local7
  ssl-default-bind-options ssl-min-ver TLSv1.3

defaults
  timeout connect 100ms
  timeout client 30s
  timeout server 30s
  mode http
  maxconn 2000

frontend healthz
  bind *:8402
  monitor-url /healthz

frontend stats
  bind *:8404
  http-request use-service prometheus-exporter if { path /metrics }
  stats enable
  stats uri /
  stats refresh 5s

frontend http-in
  bind *:80
  log global
  option httplog

  use_backend proxy-%[req.hdr(host)],lower]

  default_backend deny

resolver defdns
  parse-resolv-conf
  accepted_payload_size 8192
  resolve_retries       3
  timeout resolve       1s
  timeout retry         2s
  hold other           1h
  hold refused         1h
  hold nx              1h
  hold timeout         1h
  hold valid           60s
  hold obsolete        30s

backend proxy-g.co
  balance roundrobin
  http-reuse always
  server-template web 6 g.co:443 ssl verify required ca-file /etc/pki/tls/cert.pem check-sni g.co sni req.hdr(host) check inter 16s fastinter 2s resolvers defdns init-addr none

backend deny
  http-request deny

标签: haproxy

添加新评论