[英]HAProxy and LXD Containers - Route based on naked domain, specific sub-domain and all other sub-domains
I have tried searching for a similar solution to the problem I am having, but could not find anything. 我曾尝试寻找类似的解决方案来解决我遇到的问题,但找不到任何东西。
I have setup some LXD containers, one is HAProxy which is recieving port 80 traffic from the host's public IP address. 我已经设置了一些LXD容器,其中一个是HAProxy,它从主机的公共IP地址接收端口80的流量。 HAProxy thens sends the traffic to the correct container depending on the domain. 然后,HAProxy根据域将流量发送到正确的容器。
The issue I am having is, even though I have set The domain_specific_subdomain
ACL rule for subdomain.example.com
, the other domain_root
ACL rule takes precedant. 我遇到的问题是,即使我为subdomain.example.com
设置了domain_specific_subdomain
ACL规则,另一个domain_root
ACL规则也要优先。
Containers: 容器:
Question: How can I have this so the naked domain example.com
and all other subdomains (eg www., dev., etc) go to this backend backend_web1
except for subdomain.example.com
which should go to the: backend_web2
backend. 问题:我该如何处理,以便裸域example.com
和所有其他子域(例如www。,dev。等)转到该后端backend_web1
除了subdomain.example.com
应该转到: backend_web2
后端。
This is my config file: 这是我的配置文件:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Frontend
frontend www_frontend
bind *:80 # Bind to port 80 (www) on the container
# Covers naked domain and all subdomains
acl domain_root hdr(host) -i example.com
# Specific sub-domain
acl domain_specific_subdomain hdr(host) -i subdomain.example.com
# Redirect the connection to the proper server cluster, depending on the match.
use_backend backend_web1 if domain_root
use_backend backend_web2 if domain_specific_subdomain
# Domain dependent containers
backend backend_web1
balance leastconn
# We set the X-Client-IP HTTP header. This is useful if we want the web server to know the real client IP.
http-request set-header X-Client-IP %[src]
# This backend, named here "backend_web1", directs to container "lxd-container-web1.lxd" (hostname).
server web1 lxd-container-web1:80 check
backend backend_web2
balance leastconn
http-request set-header X-Client-IP %[src]
server web2 lxd-container-web2.lxd:80 check
From the haproxy docs: 从haproxy文档中:
There may be as many "use_backend" rules as desired. 可能有许多所需的“ use_backend”规则。 All of these rules are evaluated in their declaration order, and the first one which matches will assign the backend. 所有这些规则均按照其声明顺序进行评估,第一个匹配的规则将分配后端。
So if you switch the use_backend
line ordering, it should work. 因此,如果您切换use_backend
行的顺序,它应该可以工作。
# Redirect the connection to the proper server cluster, depending on the match.
use_backend backend_web2 if domain_specific_subdomain
use_backend backend_web1 if domain_root
Or better yet, maybe default_backend
would be better here: 或者更好,也许default_backend
在这里会更好:
# Use backend_web2 if ACL matches
use_backend backend_web2 if domain_specific_subdomain
# Otherwise, default to backend_web1
default_backend backend_web1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.