Haproxy实现443端口的复用

2020-02-15

1 示例配置一【Nginx+ocserv+openssh+tunnel】
2 示例配置二【Nginx + Nginx】
3 示例配置三【Nginx + ocserv】

转载备份一篇，443端口的复用，Haproxy实现443端口的复用。主要是利用了haproxy 的sni协议分析，可以根据协议和域名转发到对应的端口。2023-6-26更新示例配置。

示例配置一【Nginx+ocserv+openssh+tunnel】

global
  log 127.0.0.1   local3 
  log 127.0.0.1   local3 info
  maxconn 65535
  chroot /usr/share/haproxy
  user nobody
  group nogroup
  daemon
  nbproc 2
defaults  
  log global
  option tcplog  
  option dontlognull
  #option originalto
  maxconn  65535
  timeout connect 500000
  timeout client 500000
  timeout server 500000


frontend tls-ssl  
  mode tcp
  bind :443
  bind :::443
  tcp-request inspect-delay 3s
  tcp-request content accept if { req.ssl_hello_type 1 }
  # ACL configure
  acl 0_www req_ssl_sni -i abc1.def.ghi
  acl 1_ocserv req_ssl_sni -i abc2.def.ghi
  acl 2_ssh_payload payload(0,7) -m bin 5353482d322e30
  # Backend choice
  use_backend nginx if 0_www { req.ssl_hello_type 1 }
  use_backend ocserv if 1_ocserv
  use_backend ocserv if { req.ssl_hello_type 1 }
  use_backend openssh if 2_ssh_payload
  use_backend openssh if !{ req.ssl_hello_type 1 } { req.len 0 }
  use_backend tunnel if !{ req.ssl_hello_type 1 } !{ req.len 0 }
  #
backend nginx  
  #mode tcp
  option ssl-hello-chk
  server webserver 127.0.0.1:4443
backend ocserv  
  #mode tcp
  timeout server 8h
  server sslvpn 127.0.0.1:4500
backend tunnel  
  #mode tcp
  timeout server 2h
  server ss 127.0.0.1:512
backend openssh  
  #mode tcp
  timeout server 3h
  server openssh 127.0.0.1:22
# origin blog：https://blog.phoenixxie.xyz/

global

log 127.0.0.1 local3

log 127.0.0.1 local3 info

maxconn 65535

chroot /usr/share/haproxy

user nobody

group nogroup

daemon

nbproc 2

defaults

log global

option tcplog

option dontlognull

#option originalto

maxconn 65535

timeout connect 500000

timeout client 500000

timeout server 500000

frontend tls-ssl

mode tcp

bind :443

bind :::443

tcp-request inspect-delay 3s

tcp-request content accept if { req.ssl_hello_type 1 }

# ACL configure

acl 0_www req_ssl_sni -i abc1.def.ghi

acl 1_ocserv req_ssl_sni -i abc2.def.ghi

acl 2_ssh_payload payload(0,7) -m bin 5353482d322e30

# Backend choice

use_backend nginx if 0_www { req.ssl_hello_type 1 }

use_backend ocserv if 1_ocserv

use_backend ocserv if { req.ssl_hello_type 1 }

use_backend openssh if 2_ssh_payload

use_backend openssh if !{ req.ssl_hello_type 1 } { req.len 0 }

use_backend tunnel if !{ req.ssl_hello_type 1 } !{ req.len 0 }

backend nginx

#mode tcp

option ssl-hello-chk

server webserver 127.0.0.1:4443

backend ocserv

#mode tcp

timeout server 8h

server sslvpn 127.0.0.1:4500

backend tunnel

#mode tcp

timeout server 2h

server ss 127.0.0.1:512

backend openssh

#mode tcp

timeout server 3h

server openssh 127.0.0.1:22

# origin blog：https://blog.phoenixxie.xyz/

示例配置二【Nginx + Nginx】

frontend squid-in
        bind *:443
        mode tcp
        tcp-request inspect-delay 3s
        tcp-request content accept if { req.ssl_hello_type 1 }
        acl mcu_8889 req_ssl_sni -i 31.www.cppla.com
        acl mcu_7779 req_ssl_sni -i 31.cppla.com
        use_backend cppla-out-8889 if mcu_8889 { req.ssl_hello_type 1 }
        use_backend cppla-out-7779 if mcu_7779 { req.ssl_hello_type 1 }

backend cppla-out-8889
        balance roundrobin
        mode tcp
        option ssl-hello-chk
        server  cppla31-8887    127.0.0.1:8889        check   maxconn 20480000

backend cppla-out-7779
        balance roundrobin
        mode tcp
        option ssl-hello-chk
        server  cppla31-7779    127.0.0.1:7779        check   maxconn 20480000

frontend squid-in

bind *:443

mode tcp

tcp-request inspect-delay 3s

tcp-request content accept if { req.ssl_hello_type 1 }

acl mcu_8889 req_ssl_sni -i 31.www.cppla.com

acl mcu_7779 req_ssl_sni -i 31.cppla.com

use_backend cppla-out-8889 if mcu_8889 { req.ssl_hello_type 1 }

use_backend cppla-out-7779 if mcu_7779 { req.ssl_hello_type 1 }

backend cppla-out-8889

balance roundrobin

mode tcp

option ssl-hello-chk

server cppla31-8887 127.0.0.1:8889 check maxconn 20480000

backend cppla-out-7779

balance roundrobin

mode tcp

option ssl-hello-chk

server cppla31-7779 127.0.0.1:7779 check maxconn 20480000

示例配置三【Nginx + ocserv】

#/etc/haproxy/haproxy.cfg
frontend https-in
    bind *:443
    tcp-request inspect-delay 3s
    tcp-request content accept if { req.ssl_hello_type 1 }

    acl tls req.ssl_hello_type 1
    acl has_sni req.ssl_sni -m found

    use_backend ocserv if tls { req.ssl_sni -i [ocserv domain] }
    use_backend https-out if tls { req.ssl_sni -i [domian] }

backend ocserv
    mode tcp
    option ssl-hello-chk
    server server-vpn 127.0.0.1:999 send-proxy-v2 # ocserv工作在本地999端口

backend https-out
    server server-web 127.0.0.1:4443 check #https工作在本地4443端口

#/etc/haproxy/haproxy.cfg

frontend https-in

bind *:443

tcp-request inspect-delay 3s

tcp-request content accept if { req.ssl_hello_type 1 }

acl tls req.ssl_hello_type 1

acl has_sni req.ssl_sni -m found

use_backend ocserv if tls { req.ssl_sni -i [ocserv domain] }

use_backend https-out if tls { req.ssl_sni -i [domian] }

backend ocserv

mode tcp

option ssl-hello-chk

server server-vpn 127.0.0.1:999 send-proxy-v2 # ocserv工作在本地999端口

backend https-out

server server-web 127.0.0.1:4443 check #https工作在本地4443端口

#/etc/ocserv/ocserv.conf
listen-proxy-proto = true

1 2	#/etc/ocserv/ocserv.conf listen-proxy-proto = true

Haproxy实现443端口的复用

2020-02-15

示例配置一【Nginx+ocserv+openssh+tunnel】

示例配置二【Nginx + Nginx】

示例配置三【Nginx + ocserv】

发表回复取消回复

声明

业务

标签

示例配置一【Nginx+ocserv+openssh+tunnel】

示例配置二【Nginx + Nginx】

示例配置三【Nginx + ocserv】

发表回复 取消回复

声明

业务

标签

发表回复取消回复