Haproxy实现443端口的复用

2020-02-15

转载备份一篇，443端口的复用，Haproxy实现443端口的复用。主要是利用了haproxy 的sni协议分析，可以根据协议和域名转发到对应的端口。

详细配置如下。

global
  log 127.0.0.1   local3 
  log 127.0.0.1   local3 info
  maxconn 65535
  chroot /usr/share/haproxy
  user nobody
  group nogroup
  daemon
  nbproc 2
defaults  
  log global
  option tcplog  
  option dontlognull
  #option originalto
  maxconn  65535
  timeout connect 500000
  timeout client 500000
  timeout server 500000


frontend tls-ssl  
  mode tcp
  bind :443
  bind :::443
  tcp-request inspect-delay 3s
  tcp-request content accept if { req.ssl_hello_type 1 }
  # ACL configure
  acl 0_www req_ssl_sni -i abc1.def.ghi
  acl 1_ocserv req_ssl_sni -i abc2.def.ghi
  acl 2_ssh_payload payload(0,7) -m bin 5353482d322e30
  # Backend choice
  use_backend nginx if 0_www { req.ssl_hello_type 1 }
  use_backend ocserv if 1_ocserv
  use_backend ocserv if { req.ssl_hello_type 1 }
  use_backend openssh if 2_ssh_payload
  use_backend openssh if !{ req.ssl_hello_type 1 } { req.len 0 }
  use_backend tunnel if !{ req.ssl_hello_type 1 } !{ req.len 0 }
  #
backend nginx  
  #mode tcp
  option ssl-hello-chk
  server webserver 127.0.0.1:4443
backend ocserv  
  #mode tcp
  timeout server 8h
  server sslvpn 127.0.0.1:4500
backend tunnel  
  #mode tcp
  timeout server 2h
  server ss 127.0.0.1:512
backend openssh  
  #mode tcp
  timeout server 3h
  server openssh 127.0.0.1:22
# origin blog：https://blog.phoenixxie.xyz/

global

log 127.0.0.1 local3

log 127.0.0.1 local3 info

maxconn 65535

chroot /usr/share/haproxy

user nobody

group nogroup

daemon

nbproc 2

defaults

log global

option tcplog

option dontlognull

#option originalto

maxconn 65535

timeout connect 500000

timeout client 500000

timeout server 500000

frontend tls-ssl

mode tcp

bind :443

bind :::443

tcp-request inspect-delay 3s

tcp-request content accept if { req.ssl_hello_type 1 }

# ACL configure

acl 0_www req_ssl_sni -i abc1.def.ghi

acl 1_ocserv req_ssl_sni -i abc2.def.ghi

acl 2_ssh_payload payload(0,7) -m bin 5353482d322e30

# Backend choice

use_backend nginx if 0_www { req.ssl_hello_type 1 }

use_backend ocserv if 1_ocserv

use_backend ocserv if { req.ssl_hello_type 1 }

use_backend openssh if 2_ssh_payload

use_backend openssh if !{ req.ssl_hello_type 1 } { req.len 0 }

use_backend tunnel if !{ req.ssl_hello_type 1 } !{ req.len 0 }

backend nginx

#mode tcp

option ssl-hello-chk

server webserver 127.0.0.1:4443

backend ocserv

#mode tcp

timeout server 8h

server sslvpn 127.0.0.1:4500

backend tunnel

#mode tcp

timeout server 2h

server ss 127.0.0.1:512

backend openssh

#mode tcp

timeout server 3h

server openssh 127.0.0.1:22

# origin blog：https://blog.phoenixxie.xyz/

Haproxy实现443端口的复用

2020-02-15

发表回复取消回复

声明

业务

标签

发表回复 取消回复

声明

业务

标签

发表回复取消回复