http - haproxy:获取主机名

Question

我正在尝试获取请求者主机/IP，因为它涉及到 haproxy 节点。 我的 haproxy 配置如下:

frontend www-http
    bind *:9000
    http-request redirect location https://%fi:9143

frontend www-https
    bind *:9143 ssl crt /root/keys.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend www-backend

backend www-backend
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server server1 1.1.1.1:9080 cookie server1 weight 1 maxconn 1024 check

所以在这里，如果有任何 http 请求，那么我需要转发到 https。 现在请求可能带有完全限定形式的 ip 地址或主机名，例如

http://10.10.10.10:9000 

这需要转发到https://10.10.10.10:9143

同样，请求可能会以完全限定的形式出现主机名，例如

http://myhost.domain.com:9000

这需要转发到https://myhost.domain.com:9143

基本上 10.10.10.10 和 myhost.domain.com 是同一个系统。

现在使用上面的 haproxy 配置，我无法获得下面的内容，因为它是 %fi (frontend_ip)，所以它重定向到 https://10.10.10.10:9143

所以我的问题是如何获取 haproxy 节点的 ip/host，因为它涉及到 haproxy。

我尝试了以下选项，但没有用:

http-request redirect location https://%f:9143
http-request redirect location https://%[req.hdr(Host)]:9143

来自 https://www.haproxy.com/doc/aloha/7.0/haproxy/log_format_rules.html

Answer 1

参见 How do I set a dynamic variable in HAProxy?有关更多详细信息，但以它为基础，以下是适合您的方法:

frontend www-http
    bind *:9000

    # Redirect user from http port to https port
    http-request set-var(req.hostname) req.hdr(Host),field(1,:),lower
    http-request redirect code 301 location https://%[var(req.hostname)]:9143 if !{ ssl_fc }

frontend www-https
    bind *:9143 ssl crt /root/keys.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend www-backend

backend www-backend
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server server1 1.1.1.1:9080 cookie server1 weight 1 maxconn 1024 check

我的情况有点不同，因为我只是想重定向一个统计 UI URL，所以我不必去更新我们内部文档中的每个统计 URL。以下是适合我的情况的方法(以防对其他人有帮助):

userlist stats-auth
    group admin users adminuser
    group readonly users readonlyuser

    # Passwords created via mkpasswd -m sha-512 PASSWORD_HERE
    user adminuser password NOT_REAL_PASSWORD
    user readonlyuser password NOT_REAL_PASSWORD

listen stats

    # Used just for the initial connection before we redirect the user to https
    bind *:4711

    # Combined file containing server, intermediate and root CA certs along
    # with the private key for the server cert.
    bind *:4712 ssl crt /etc/ssl/private/my-site-name_combined_cert_bundle_with_key.pem

    option dontlognull
    mode http
    option httplog

    # Redirect user from http port to https port
    http-request set-var(req.hostname) req.hdr(Host),field(1,:),lower
    http-request redirect code 301 location https://%[var(req.hostname)]:4712/ if !{ ssl_fc }

    acl AUTH            http_auth(stats-auth)
    acl AUTH_ADMIN      http_auth_group(stats-auth) admin

    stats enable

    # The only "site" for using these ports is the admin UI, so use '/' as
    # the base path instead of requiring something like '/haproxy_stats' or
    # '/stats' in order to display the UI.
    stats uri /

    # Force a login if not already authenticated
    stats http-request auth unless AUTH

    # Allow administrator functionality if user logged in using admin creds
    # (there are separate read-only username and password pairs)
    stats admin if AUTH_ADMIN

我省略了前端和后端配置，因为它们更长/更详细。