Haproxy-添加SSL证书

需求

浏览器及前端之间更改为https访问。前端之前有Haproxy负载均衡。故浏览器与Haproxy之间设为https，Haproxy与前端之间仍保留为Http。

1. 生成自签名的证书

#mkdir /etc/pki/
#cd /etc/pki
#openssl genrsa -out /etc/pki/dashboard.key 2048
#openssl req -new -key /etc/pki/dashboard.key -out /etc/pki/dashboard.csr
  Country Name (2 letter code) [XX]:CN　＃国家代码
  State or Province Name (full name) []:china　#省
  Locality Name (eg, city) [Default City]:beijing　#市
  Organization Name (eg, company) [Default Company Ltd]:iseastar　#公司名称
  Organizational Unit Name (eg, section) []:iseastar　#可以不写
  Common Name (eg, your name or your server's hostname) []:iseastar #可以不写
  Email Address []:     ＃邮箱地址

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  #以下跳过
  A challenge password []:
  An optional company name []:

#openssl x509 -req -days 365 -in /etc/pki/dashboard.csr -signkey /etc/pki/dashboard.key -out /etc/pki/dashboard.crt

#cat /etc/pki/dashboard.crt  /etc/pki/dashboard.key | tee  /etc/pki/dashboard.pem

2. 将证书挂载到Haproxy上

dashboard.cfg:

frontend dashboard-frontend
  bind *.*.*.*:80
  bind *.*.*.*:443 ssl crt /etc/self_ssl/dashboard.pem 
  redirect scheme https if !{ ssl_fc }  
  default_backend  horizon-backend

horizon.cfg:

backend horizon-backend
  balance  source
  capture  cookie vgnvisitor= len 32
  cookie  SERVERID insert indirect nocache
  mode  http
  option  forwardfor
  option  httpchk HEAD /dashboard
  option  httpclose
  option  httplog
  option  dontlog-normal
  rspidel  ^Set-cookie:\ IP=
  timeout  client 3h
  timeout  server 3h
  server server1 192.168.0.12:80   check inter 2000 fall 3

3. 重启haproxy