[英]Too many redirects with haproxy
我使用 haproxy 作為負載均衡器 pod,pod 收到的請求來自 NLB。 hsproxy pod 收到的請求被發送到為流量提供服務的 nginx webserver pod。 此配置適用於 http 和 https。 我的想法是重定向 web-dev.xxxx.com。ssl 證書位於 NLB
{
apiVersion: "v1",
kind: "ConfigMap",
metadata: {
name: "haproxy-config",
namespace: "xxxx",
},
data: {
"haproxy.cfg":
"# This configuration use acl's to distinguish between url's passwd and then route
# them to the right backend servers. For the backend servers to handle it correctly, you
# need to setup virtual hosting there as well, on whatever you use, tomcat, nginx, apache, etc.
# For this to work with SSL, put pound before HAproxy and use a configuration file similar to
# https://gist.github.com/1984822 to get it working
global
log stdout format raw local0
maxconn 4096
stats socket /var/run/haproxy.sock mode 660 level admin
pidfile /var/run/haproxy.pid
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor except 127.0.0.1
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
# status page.
listen stats
bind :8000
mode http
stats enable
stats hide-version
stats uri /stats
frontend http-in
bind *:80 accept-proxy
# http-request set-header X-Client-IP %[src]
# Capturing specific request headers
capture request header x-wap-msisdn len 64
capture request header x-wap-imsi len 64
capture request header Host len 64
capture request header User-Agent len 64
#### Setup virtual host routing
# haproxy-dev.xxxx.com
acl is_haproxy_stats hdr_end(host) -i haproxy-dev.xxxx.com
use_backend haproxy-stats if is_haproxy_stats
# ACL for api-dev.xxxx.com
acl is_api hdr_end(host) -i api-dev.xxxx.com
http-request set-header X-Forwarded-Proto https if is_api
use_backend api if is_api
# ACL for he.web-dev.xxxx.com
acl is_he_web hdr_beg(host) -i he.web-dev.xxxx.com
# ACL for he-dev.xxxx.com
acl is_he hdr_beg(host) -i he-dev.xxxx.com
# ACL for path begins with /projects
acl is_products_uri path -i -m beg /products
# ACL redirect for he.web-dev.xxxx.com/projects
http-request redirect location https://web-dev.xxxx.com/products/?msisdn=%[req.hdr(x-wap-msisdn)] code 301 if is_he_web is_products_uri
# ACL redirect for he-dev.xxxx.com/products
http-request redirect location https://web-dev.xxxx.com/products/?msisdn=%[req.hdr(x-wap-msisdn)] code 301 if is_he is_products_uri
# ACL redirect for he-dev.xxxx.com
http-request redirect location https://web-dev.xxxx.com?msisdn=%[req.hdr(x-wap-msisdn)] code 301 if is_he
# ACL redirect for he.web-dev.xxxx.com
http-request redirect location https://web-dev.xxxx.com?msisdn=%[req.hdr(x-wap-msisdn)] code 301 if is_he_web
# ACL for web-dev.xxxx.com
acl is_web hdr_beg(host) -i web-dev.xxxx.com
redirect scheme https if { hdr(Host) -i web-dev.xxxx.com } !{ ssl_fc }
use_backend web if is_web
default_backend api
frontend web-dev.xxxx.com-https
bind *:9000 accept-proxy
# HSTS
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Proto https
default_backend web
backend haproxy-stats
balance roundrobin
option redispatch
option httpchk GET /stats HTTP/1.1
option httpclose
option forwardfor
server haproxy haproxy-stats.x:8000 check inter 10s
backend api
balance roundrobin
option redispatch
option httpchk GET /ping/rails?haproxy HTTP/1.0\\r\\nUser-agent:\\ HAProxy
option httpclose
option forwardfor
server foo-rails foo-rails.xxxx:80 check inter 10s
backend web
balance roundrobin
option redispatch
cookie SERVERID insert nocache indirect
option httpchk GET /nginx_status HTTP/1.0
option httpclose
option forwardfor
http-response set-header X-XSS-Protection 1
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
server foo foo.xxxx:80 check inter 10s
",
}
}
這
你的問題似乎在這里。
redirect scheme https if { hdr(Host) -i web-dev.xxxx.com } !{ ssl_fc }
流量在端口 80 上進入 HAProxy,因此ssl_fc
永遠不會匹配。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.