更新如下
________________我決定使用 HAProxy 作為 SharePoint 網站的反向代理,如果沒有 SSL,一切都正常,但使用 SSL 我無法啟動 haproxy.service。我嘗試了很多配置,但我無法弄清楚...
嘗試啟動服務:
$ sudo systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.
haproxy.service 的狀態:
$ sudo systemctl status haproxy.service
haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since date CEST;
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: (code=exited, status=0/SUCCESS)
systemd[1]: haproxy.service: Failed with result 'exit-code'.
systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
systemd[1]: Stopped HAProxy Load Balancer.
systemd[1]: haproxy.service: Start request repeated too quickly.
systemd[1]: Failed to start HAProxy Load Balancer.
systemd[1]: haproxy.service: Unit entered failed state.
systemd[1]: haproxy.service: Failed with result 'exit-code'.
systemd[1]: haproxy.service: Start request repeated too quickly.
systemd[1]: Failed to start HAProxy Load Balancer.
systemd[1]: haproxy.service: Failed with result 'exit-code'.
檢查設定檔問題:
$ sudo haproxy -c -f haproxy.cfg
Enter PEM pass phrase:
[ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'.
[ALERT]: Error(s) found in configuration file : haproxy.cfg
[ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt').
[ALERT]: Fatal errors found in configuration.
HAProxy -vv:
$ sudo haproxy -vv
HA-Proxy version 1.7.5-2
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e
Running on OpenSSL version : OpenSSL 1.1.0f
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39
Running on PCRE version : 8.39
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
紀錄:
haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist.
haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg
haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt').
haproxy: [ALERT]: Fatal errors found in configuration.
我在另一台伺服器上為 nginx 使用相同的憑證(但分為:憑證、金鑰、鏈)並且它有效。我使用命令為 HAProxy 創建了這個cat cert.crt priv.key certchain.crt > cert.pem,並嘗試了不同的順序,但錯誤是相同的。另外,命令haproxy -c -f haproxy.cfg伺服器詢問密碼短語,因此我認為證書沒問題(也許我錯了),但設定檔有問題。感謝您的時間和幫助。
我的 haproxy.cfg:
global
tune.ssl.default-dh-param 2048
maxconn 4096
user haproxy
group haproxy
daemon
#ssl-server-verify none
defaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
backend sharepoint
mode http
#balance roundrobin
option redispatch
cookie SERVERID insert nocache
server spsrv xxx.xxx.xxx.xxx:80
frontend http_id
#bind *:80
bind *:443 ssl crt ./cert.pem
mode http
reqadd X-Forwarded-Proto:\ https
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
第一次更新
我嘗試使用直通,現在 SharePoint 要求在連接埠 80 上提供憑證(停用 IIS 角色後),然後 SharePoint 重定向到 https,並出現錯誤「504 網關逾時」。這是我目前的 haproxy.cfg:
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443
option ssl-hello-chk
另外 command:
$ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv傳回 401 ,因此連線正常,但連接埠 443 的命令$ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv返回curl: (56) Recv failure: Connection reset by peer。我的設定檔正確嗎?或者也許我需要配置 IIS?
第二次更新
重新啟動 SharePoint 伺服器後,此設定將起作用直通:
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443
option ssl-hello-chk
答案1
您應該避免在設定檔中使用相對路徑,例如./cert.pem.請變更為絕對路徑/etc/ssl/cert.pem(調整為目前路徑)。
另外,檢查cert.pem文件本身。它應該只包含可列印文字(不是二進位),並且至少有兩個-----BEGIN CERTIFICATE-----,-----END CERTIFICATE-----區塊(您的憑證和鏈中的 CA)和一個-----BEGIN PRIVATE KEY-----,-----END PRIVATE KEY-----區塊(或可能是一個-----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----)。
如果文件中有任何二進位文件cert.pem,您應該將原始文件(cert.crt、priv.key)轉換為 PEM 格式,然後cert.pem重新建立該文件。正確的串聯順序應該是最終憑證、金鑰、直接頒發者、下一個頒發者等。數較少)。
您可以使用 openssl 將二進位格式(又稱 DER)轉換為文字格式(又稱 PEM):
對於憑證(input.crt將是 DER 檔案並將output.crt是 PEM 格式的新檔案):
openssl x509 -通知 DER -in 輸入.crt -out 輸出.crt
對於金鑰(我假設它是 RSA 金鑰,這是最常見的)注意:它將要求輸入(新)密碼output.key,請參閱我稍後對此的評論。
openssl rsa -inform DER -in 輸入.key -out 輸出.key
注意:大多數伺服器假設金鑰未加密(即 contains 的下一行-----BEGIN PRIVATE KEY-----)ENCRYPTED。如果是這種情況並且您的伺服器仍然無法啟動,請嘗試將金鑰轉換為未加密的格式(注意:在此命令中,我假設檔案inputcipher.key已經是 PEM 格式):
openssl rsa -in inputcipher.key -nodes -out outputclear.key
至於帶有錯誤的傳遞504,在後面的配置中您指向,server st1 xxx.xxx.xxx.xxx:443而在攔截配置中您指向server spsrv xxx.xxx.xxx.xxx:80.請重新檢查你的後端是否在監聽80端口或443端口,但是好像沒有後端在監聽443。
答案2
也許這對某人有幫助。就我而言,我在 Linux 上配置了兩個網路適配器 - 本地網路和公共網路。在 Windows 上,我只有本機網路 - Windows 在本機網路中與 Linux 連接,然後透過 HAProxy 我可以從網路開啟 SharePoint 網站。
這是正確的配置,在我的情況下有效(對於 SSL,我使用直通 - 重定向,憑證位於 Windows IIS 上):
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
server st1 xxx.xxx.xxx.xxx:443 #local address of the Windows server
option ssl-hello-chk