Powered by GitBook

Nodejs&Mongodb 安裝手冊(AmazonEC2)

設定HAProxy使用SSL憑證

參考文件:

合併憑證檔

  • 將SSL憑證、中繼憑證、根憑證的內容依下面順序合併成一個pem檔,存放於/etc/pki/tls/private/domain1.pem/etc/pki/tls/private/domain2.pem
    -----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

設定

  • sudo vim /etc/haproxy/haproxy.cfg開啟設定檔
defaults
 log 127.0.0.1 local0
 option tcplog

frontend https
  bind *:443 ssl crt /etc/pki/tls/private/domain1.pem crt /etc/pki/tls/private/domain2.pem
  # other (self described) options are: [ciphers <suite>] [nosslv3] [notlsv1]
  use_backend bk_app1 if { ssl_fc_sni domain1 } # content switching based on SNI
  use_backend bk_app2 if { ssl_fc_sni domain2 } # content switching based on SNI
  default_backend bk_www.haproxy.com

backend bk_www.haproxy.com
  mode http
  server srvxlc 127.0.0.1:80

backend bk_app1
  mode http
  server srv1 127.0.0.1:5001

backend bk_app2
  mode http
  server srv2 127.0.0.1:5002
  • 設定http自動轉向https
frontend http
    bind *:80
    mode http
    timeout client 5s
    redirect scheme https if !{ ssl_fc }

重新啟動

  • sudo service haproxy restart