无法将HAProxy实现为HTTPS的转发代理

本文介绍了无法将HAProxy实现为HTTPS的转发代理的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试使用HAProxy作为转发代理。适用于HTTP，但不适用于HTTPS。 以下是我的HTTP HAProxy配置

listen forward_http_proxy bind *:80 http-request do-resolve(txn.dstip,mydns) hdr(Host),lower http-request set-dst var(txn.dstip) server proxy_server *

使用上面的配置我得到了正确的结果，如下所示

> requests.get("api.ipify?format=json", proxies={'http': 'myproxy.server:80'}).text > '{"ip":"15.12.XX.XX"}'

我的HTTPS配置如下

listen forward_https_proxy bind *:5248 ssl crt /etc/ssl/my.domainbined.pem http-request do-resolve(txn.dstip,mydns) hdr(Host),lower http-request set-dst var(txn.dstip) http-request set-dst-port hdr(x-port) server proxy_https_server * ssl verify none

现在，当我尝试如下所示的HTTPS时，出现错误

> requests.get("api.ipify?format=json", proxies={'http': 'myproxy.server:5248'}, verify=False).text HAProxy Error Log >> Jul 9 17:56:40 ip-12-2-XX-XXX haproxy[3996]: XXX.XX.XXX.XX:26306 [09/Jul/2021:17:56:40.345] forward_https_proxy/1: SSL handshake failure

卷曲输出低于

> curl -X GET api.ipify --proxy myproxy.server:5248 --verbose Note: Unnecessary use of -X or --request, GET is already inferred. * Trying XX.X.X.XX:5248... * TCP_NODELAY set * Connected to myproxy.server (XX.X.X.XX) port 5248 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 * ALPN, server did not agree to a protocol * Proxy certificate: * subject: OU=Domain Control Validated; CN=*.myproxy.server * start date: Jun 7 07:00:34 2021 GMT * expire date: Jul 7 10:24:05 2022 GMT * subjectAltName: host "myproxy.server" matched cert's "*.myproxy.server" * issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy, Inc.; OU=certs.godaddy/repository/; CN=Go Daddy Secure Certificate Authority - G2 * SSL certificate verify ok. * allocate connect buffer! * Establish HTTP proxy tunnel to api.ipify:443 > CONNECT api.ipify:443 HTTP/1.1 > Host: api.ipify:443 > User-Agent: curl/7.68.0 > Proxy-Connection: Keep-Alive > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

在最后一行之后，它只是继续等待，什么也不会发生。

haproxy -vv的输出如下

HA-Proxy version 2.2.14-1ppa1~focal 2021/04/29 - haproxy/ Status: long-term supported branch - will stop receiving fixes around Q2 2025. Known bugs: www.haproxy/bugs/bugs-2.2.14.html Running on: Linux 5.8.0-1038-aws #40~20.04.1-Ubuntu SMP Thu Jun 17 13:25:28 UTC 2021 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-3dgaC8/haproxy-2.2.14=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 DEBUG = Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.3 Built with network namespace support. Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.34 2019-11-21 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 9.3.0 Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) fcgi : mode=HTTP side=BE mux=FCGI <default> : mode=HTTP side=FE|BE mux=H1 h2 : mode=HTTP side=FE|BE mux=H2 <default> : mode=TCP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [TRACE] trace [CACHE] cache [FCGI] fcgi-app

我已经查看了this post和更多其他帖子，但都不起作用。

我之所以这样做，是因为我不想同时管理Squid和HAProxy。 如果我做错了什么，或者HAProxy不是我想要实现的目标，请让我知道。

更新： 我将改变我的方法来解决这个问题。引用HAProxy Issue reply

推荐答案

您需要将sni添加到服务器行。 文档中的建议是使用ssl_fc_sni

未经测试

server proxy_https_server * ssl verify none sni ssl_fc_sni

或

server proxy_https_server * ssl verify none sni %[ssl_fc_sni]