HAproxy 综合配置http https ws wss

大家好！ 最近因公司业务需求。使用HAproxy充当网关功能，并支持https协议及wss协议（后端服务不再需要做证书处理）。网上找了一些资料，可惜很难找到一个全面的haproxy.cnf模板。经过1天的沉淀，最终将http https ws wss 整合同一个配置文件，同时对外提供服务。现跟大家分享

1 证书生成

#前提条件 先查看haproxy是否支持openssl。如果没有重新编译安装
haproxy -vv
make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz
ldd haproxy | grep ssl

#1 生成.csr .key .crt 文件
sudo openssl x509 -req -days 365 -in /etc/ssl/xip.io/xip.io.csr -signkey /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.crt

#2 创建servername.pem 证书文件
vi /etc/ssl/certs/servername.pem
#内容=/etc/ssl/xip.io/xip.io.crt内容 + /etc/ssl/xip.io/xip.io.key内容
-----BEGIN CERTIFICATE-----
MIIB+zCCAWQCCQCEkx8gEiAJ5DANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMB4XDTE5MTEyNTA5MjYzOVoXDTIwMTEyNDA5MjYzOVowQjELMAkGA1UE
BhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBD
b21wYW55IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArx1Vkq6+G/i1
AvWoEWSiepBt/OigypnFiq9XJkswrl30eP+6Tg+clHaIc3oR2Cf+zVvEa7t0dxLJ
Gi3i5DdM2sAdR0ATvnND2sy9Ktp+RUokg7Wql2LdVe0Qx1ZyBW3Tt8FSyvVIdRjG
CYb5P82ItQCU8ZC9zra4SASkj//b3AsCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj
PJe01Wsldx3idq4S8VkJ2aJwPVSof5VofOuFOzb9Y18nIguRzJJsQQeaUAf45LvF
a16AO0isRvor389U3rm6HI//4Wjzeoe0rG2890naQBK1kV7RWyywHvP+ijN2UMA0
ve6COpThkTUDR1As7YXmjOhONeT35hG70TXEHbKIBw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvHVWSrr4b+LUC9agRZKJ6kG386KDKmcWKr1cmSzCuXfR4/7pO
D5yUdohzehHYJ/7NW8Rru3R3EskaLeLkN0zawB1HQBO+c0PazL0q2n5FSiSDtaqX
Yt1V7RDHVnIFbdO3wVLK9Uh1GMYJhvk/zYi1AJTxkL3OtrhIBKSP/9vcCwIDAQAB
AoGBAIgVArf/hYsVJg2Lu7TwgHdAn8iHOtTW1LVmdxIyIj2Ok/onuK8K4MJarsUW
WqGgyxjpNGYIAYS7G351pDl3ZAfb9VhGnOJOXgh+4Fp7Lkm4I7e3iN3DExZeUUZ7
9zbu1IM/prF4CUqvyQ8DBouIojhY045gjk3Zb/To5jbHcbnJAkEA6JuSTxdf3oy7
I1xH/Uxf5aIyj0VTAU4SVP3Ogkjrixa7iaMg11JicBt++f65jXPnzjW/16NF3ob0
VbVeYDCOVwJBAMC5ndbbUecN8FoHey6+IPnRMK/YXWYYKVKtt4/lTsunYB2O5T3H
5RUNFr4Hy/+kM14Ij0XMyTdtf6bbIRaAJ20CQDS5Zq2Ex9dDIPv/49V3ZVlAraMp
/ImUL7WSHigL7VAGpBWrozsLUoLEyMBTy61Tc1ybdFOlj6XEA0gWJ0E4YFsCQQCe
KndwMnRoFJdxu3wL43u6qkSzu/UC6cdYFDt2u7FMD+QgvfpDFr9Z5HEKqelwtzh0
7r9ugF+Ovq2pqWLhTXGNAkArvKE2HrJf4imOrPoKFoEfNgFL78dDuN+oib4tKd+t
Wd3RKLHC/CJ3N0fsl7X8ar2qd8wJOpGXUKbvdUzvpABP
-----END RSA PRIVATE KEY-----

2 haproxy.cnf

global
	log 127.0.0.1 local3
	maxconn 20480
	chroot /usr/local/haproxy
	uid 1004 #1004为haproxy 用户的uid ,haproxy用户需要自己手动创建
	gid 1004
	daemon
	quiet
	nbproc 1
	pidfile /var/run/haproxy.pid

defaults
	log global
	mode http
	maxconn 20480
	option httplog
	option httpclose
	option http-pretend-keepalive			
	option forwardfor
	option dontlognull
	option redispatch
	retries 3
	balance roundrobin
	# 	balance url_param userid	 
	stats	uri	 /haproxy-stats	 
	contimeout 5000
	clitimeout 50000
	srvtimeout 50000
	
listen http_queue 
	bind *:10535
	mode http
	http-request set-header http_req yes
	balance roundrobin
	option httplog
	option dontlognull
	option logasap
	option forwardfor
	option httpclose
	option http-pretend-keepalive
server http_queue1 192.168.15.56:10535 cookie 1 check inter 2000 rise 3 fall 3
server http_queue2 192.168.10.139:10535 cookie 1 check inter 2000 rise 3 fall 3

frontend https_queueservice 
	bind *:20535 ssl crt /etc/ssl/certs/servername.pem
	mode http
	option httpclose
	option forceclose
	option http-server-close
	option forwardfor except 127.0.0.1
	reqadd X-Forwarded-Proto:\ https
	default_backend https_queueservice
	option httpclose
	#option http-pretend-keepalive
	#option httpchk GET /TLS/healthcheck HTTP/1.1\r\nHost:\
	#http-check expect status 200
	#option httpchk GET /index.html

backend https_queueservice
	mode http
	balance roundrobin
	option httpclose
	option forceclose
	option http-server-close
	option forwardfor except 127.0.0.1
	cookie SERVERID insert indirect nocache
server queueservice_1 192.168.15.56:10535 cookie 1 check inter 2000 rise 3 fall 3

listen http_smagent 
	bind *:11802
	mode http
	balance roundrobin
	option httplog
	option dontlognull
	option logasap
	option forwardfor
	option httpclose
	option http-pretend-keepalive
server http_smagent1 192.168.8.151:11802 cookie 1 check inter 2000 rise 3 fall 3

frontend https_smagent
	bind *:21802 ssl crt /etc/ssl/certs/servername.pem
	mode http
	option httpclose
	option forceclose
	option http-server-close
	option forwardfor except 127.0.0.1
	reqadd X-Forwarded-Proto:\ https
	default_backend https_smagent
	option httpclose
	#option http-pretend-keepalive
	#option httpchk GET /TLS/healthcheck HTTP/1.1\r\nHost:\
	#http-check expect status 200
	#option httpchk GET /index.html

backend https_smagent
	mode http
	balance roundrobin
	option httpclose
	option forceclose
	option http-server-close
	option forwardfor except 127.0.0.1
	cookie SERVERID insert indirect nocache
server queueservice_1 192.168.8.151:11802 cookie 1 check inter 2000 rise 3 fall 3

listen socket-signa-ws
	 mode tcp
	 bind *:10538
	 balance roundrobin
	 #timeout queue 5000
	 timeout server 86400000
	 timeout connect 86400000
server server1 192.168.15.57:10538 check
server server2 192.168.10.139:10538 check

frontend socket-signa-wss
	bind *:20538 ssl crt /etc/ssl/certs/servername.pem
	mode http
	maxconn 60000
	acl host_ws hdr_beg(Host) -i ws.
	use_backend socket-signa-wss if host_ws
	acl hdr_connection_upgrade hdr(Connection)	-i upgrade
	acl hdr_upgrade_websocket	hdr(Upgrade)	-i websocket
	use_backend socket-signa-wss if hdr_connection_upgrade hdr_upgrade_websocket
	#default_backend bk_web
backend socket-signa-wss																	 
	balance roundrobin	
	server websrv1 192.168.15.57:10538 maxconn 30000 weight 10 cookie websrv1 check
	server websrv2 192.168.10.139:10538 maxconn 30000 weight 10 cookie websrv2 check