下面更新
________________我决定使用 HAProxy 作为 SharePoint 网站的反向代理,没有 SSL 一切正常,但使用 SSL 我无法启动 haproxy.service。我尝试了许多配置,但我无法弄清楚......
尝试启动服务:
$ sudo systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.
haproxy.service 的状态:
$ sudo systemctl status haproxy.service
haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since date CEST;
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: (code=exited, status=0/SUCCESS)
systemd[1]: haproxy.service: Failed with result 'exit-code'.
systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
systemd[1]: Stopped HAProxy Load Balancer.
systemd[1]: haproxy.service: Start request repeated too quickly.
systemd[1]: Failed to start HAProxy Load Balancer.
systemd[1]: haproxy.service: Unit entered failed state.
systemd[1]: haproxy.service: Failed with result 'exit-code'.
systemd[1]: haproxy.service: Start request repeated too quickly.
systemd[1]: Failed to start HAProxy Load Balancer.
systemd[1]: haproxy.service: Failed with result 'exit-code'.
检查配置文件问题:
$ sudo haproxy -c -f haproxy.cfg
Enter PEM pass phrase:
[ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'.
[ALERT]: Error(s) found in configuration file : haproxy.cfg
[ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt').
[ALERT]: Fatal errors found in configuration.
HAProxy -vv:
$ sudo haproxy -vv
HA-Proxy version 1.7.5-2
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e
Running on OpenSSL version : OpenSSL 1.1.0f
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39
Running on PCRE version : 8.39
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
日志:
haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist.
haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg
haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt').
haproxy: [ALERT]: Fatal errors found in configuration.
我在另一台服务器上为 nginx 使用相同的证书(但分为:证书、密钥、链),它可以工作。我用命令为 HAProxy 创建了这个cat cert.crt priv.key certchain.crt > cert.pem,我尝试了不同的顺序,但错误是一样的。命令haproxy -c -f haproxy.cfg服务器也询问密码,所以我认为证书没问题(也许我错了)并且配置文件有问题。感谢您的时间和帮助。
我的 haproxy.cfg:
global
tune.ssl.default-dh-param 2048
maxconn 4096
user haproxy
group haproxy
daemon
#ssl-server-verify none
defaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
backend sharepoint
mode http
#balance roundrobin
option redispatch
cookie SERVERID insert nocache
server spsrv xxx.xxx.xxx.xxx:80
frontend http_id
#bind *:80
bind *:443 ssl crt ./cert.pem
mode http
reqadd X-Forwarded-Proto:\ https
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
第一次更新
我尝试了直通,现在 SharePoint 在端口 80 上请求凭据(在禁用 IIS 角色之后),然后 SharePoint 重定向到 https 并出现错误“504 网关超时”。这是我当前的 haproxy.cfg:
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443
option ssl-hello-chk
同样 command:
$ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv返回 401 ,因此连接正常,但是带有端口 443 的命令$ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv返回curl: (56) Recv failure: Connection reset by peer. 我的配置文件正确吗?或者也许我需要配置 IIS?
第二次更新
重新启动 SharePoint 服务器后,此配置正在使用pass-through:
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
mode tcp
log 127.0.0.1 local0 notice
maxconn 2000
option tcplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
frontend httpid
mode tcp
bind *:443
acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
use_backend sharepoint if hosts_sharepoint
default_backend sharepoint
backend sharepoint
mode tcp
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443
option ssl-hello-chk
您应该避免在配置文件中使用相对路径,例如
./cert.pem. 请改成绝对路径之类的/etc/ssl/cert.pem(调整为当前路径)。另外,检查
cert.pem文件本身。它应该只包含可打印的文本(不是二进制),至少包含两个-----BEGIN CERTIFICATE-----,-----END CERTIFICATE-----块(您的证书和链中的 CA)和一个-----BEGIN PRIVATE KEY-----,-----END PRIVATE KEY-----块(或者可能是一个-----BEGIN RSA PRIVATE KEY-----,-----END RSA PRIVATE KEY-----)。如果文件中有任何二进制
cert.pem文件,您应该将原始文件 (cert.crt,priv.key) 转换为 PEM 格式并重新创建cert.pem文件。连接的正确顺序应该是最终证书、密钥、直接颁发者、下一个颁发者等。您可以省略根 CA,因为不包括它被认为是一种好习惯(没有真正需要,交换的字节数更少)。您可以使用 openssl 从二进制格式(又名 DER)转换为文本格式(又名 PEM):
对于证书(
input.crt将是 DER 文件,并且output.crt将是 PEM 格式的新文件):对于密钥(我假设它是 RSA 密钥,这是最常用的)注意:它会要求输入(新)密码
output.key,请参阅我稍后对此的评论。注意:大多数服务器假定密钥没有加密(即
-----BEGIN PRIVATE KEY-----contains的下一行ENCRYPTED)。如果是这种情况并且您的服务器仍然无法启动,请尝试将密钥转换为未加密的格式(注意:在此命令中,我假设inputcipher.key文件已经是 PEM 格式):至于错误的传递
504,在后面的配置中你指向的是,server st1 xxx.xxx.xxx.xxx:443而在拦截配置中你指向的是server spsrv xxx.xxx.xxx.xxx:80. 请重新检查一下你的后端是监听80端口还是443端口,但是443似乎没有后端监听。也许它会对某人有所帮助。就我而言,我在 Linux 上配置了两个网络适配器——本地网络和公共网络。在 Windows 上,我只有本地网络 - Windows 在本地网络中与 Linux 连接,然后通过 HAProxy,我可以从 Internet 打开 SharePoint 站点。
这是正确的配置,在我的情况下有效(对于 SSL,我使用了直通 - 重定向和证书在 Windows IIS 上):