不终止 ssl 的 Haproxy SSL(https) 健康检查

Question

所以我无法找到进行 SSL 检查的正确方法，我没有使用证书，只需要检查 HTTPS 网站 url（例如 google.com/） 一次尝试多种组合，但没有成功。也许有人有类似的配置，

后端使用 - > 检查-sni google.com sni ssl_fc_sni

    returns - reason: Layer7 wrong status, code: 301, info: "Moved Permanently"

检查端口 80 check-ssl -

原因：Layer6 无效响应，信息：“SSL 握手失败”

所有其他人都只是超时。这是完整的配置文件-

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-server-verify none
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http



frontend myfront
bind *:8000
mode tcp
        tcp-request inspect-delay 5s

default_backend backend1



listen stats
bind :444
stats enable
stats uri /
stats hide-version
stats auth test:test

backend Backends
balance roundrobin
option forwardfor

option httpchk

  http-check send hdr host google.com meth GET uri /

 http-check expect status 200
#http-check connect
#http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
#http-check expect status 200-399
#http-check connect port 443 ssl sni haproxy.1wt.eu
#http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
#http-check expect status 200-399
#http-check connect port 443 ssl sni google.com
#http-check send meth GET uri / ver HTTP/1.1 hdr host google.com


   default-server fall 10 rise 1




 server Node1011 192.168.0.2:1011 check inter 15s check-ssl check port 443
 server Node1012 192.168.0.2:1012 check inter 15s check-ssl check port 443
 server Node1015 192.168.0.2:1015 check inter 15s check port 443
 server Node1017 192.168.0.2:1017 check inter 15s check-ssl check-sni google.com sni ssl_fc_sni
 server Node1018 192.168.0.2:1018 check inter 15s check-ssl check-sni google.com sni ssl_fc_sni
 server Node1019 192.168.0.2:1019 check inter 15s check-sni google.com sni ssl_fc_sni
 server Node1020 192.168.0.2:1020 check inter 15s check port 443 check-ssl
 server Node1021 192.168.0.2:1021 check inter 15s check port 443 check-ssl

 server Node1027 192.168.0.2:1027 check inter 15s check port 80
 server Node1028 192.168.0.2:1028 check inter 15s check port 80
 server Node1029 192.168.0.2:1029 check inter 15s check port 80
 server Node1030 192.168.0.2:1030 check inter 15s check port 80 check-ssl
 server Node1031 192.168.0.2:1031 check inter 15s check port 80 check-ssl

 server Node1033 192.168.0.2:1033 check inter 15s check port 80 check-ssl verify none
 server Node1034 192.168.0.2:1034 check inter 15s check port 80 check-ssl verify none
 server Node1035 192.168.0.2:1035 check inter 15s check-ssl
 server Node1036 192.168.0.2:1036 check inter 15s check-ssl

 server Node1048 192.168.0.2:1048 check inter 15s check-ssl verify none
 server Node1049 192.168.0.2:1049 check inter 15s check-ssl verify none

P.s 找到了一个网站，它解释了我正在尝试做的事情（https://hodari.be/posts/2020_09_04_configure_sni_for_haproxy_backends/），但这也不起作用，我的 haproxy 版本是 2.2.3

P.s.s 我实际上是在尝试检查 www.google.com ，只是为了清楚起见。 谢谢！

Answer 1

这真的不是一个错误。如果您对https://google.com 进行卷曲，它确实会进行301 重定向到https://www.google.com/。为简洁起见，我在下面剪掉了一些协议细节，但你明白了。

要么将您的期望更改为 301，要么使用 www.google.com。

paul:~ $ curl -vv https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 172.217.1.206...
-[snip]-
> GET / HTTP/2
> Host: google.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
-[snip]-
< HTTP/2 301 
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Mon, 18 Jan 2021 03:42:04 GMT
< expires: Wed, 17 Feb 2021 03:42:04 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< 
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

因此，如果您想避免 301，请在配置中使用 www.google.com 值，如下所示：

http-check send hdr host www.google.com meth GET uri /