Websocket 如何将HAProxy与web套接字RabbitMQ';s Web MQTT和添加SSL/TLS?
我正在努力使HAProxy与RabbitMQ的Web MQTT(通过Web套接字的MQTT)一起工作。我尝试了一些配置和教程,但没有成功(,)。还尝试设置HAProxy,但没有成功 我真的很想在这方面使用HAProxy,但我很难使用它 我的意图是在浏览器中使用Javascript Paho MQTT客户机连接到RabbitMQ Web套接字MQTT代理,它们之间将是加密http/ws连接,并提供TLS/SSL证书(也称为SSL/TLS卸载) 尝试使用HAProxy打开安全websocket连接时,浏览器会收到HTTP/1.1 503 Service Unavailable响应 RabbitMQ服务器正在本地主机15675上侦听未加密的websocket mqtt连接 HAProxy正在ws.mydomain.io:3001上监听 这是HAProxy配置:Websocket 如何将HAProxy与web套接字RabbitMQ';s Web MQTT和添加SSL/TLS?,websocket,rabbitmq,haproxy,paho,Websocket,Rabbitmq,Haproxy,Paho,我正在努力使HAProxy与RabbitMQ的Web MQTT(通过Web套接字的MQTT)一起工作。我尝试了一些配置和教程,但没有成功(,)。还尝试设置HAProxy,但没有成功 我真的很想在这方面使用HAProxy,但我很难使用它 我的意图是在浏览器中使用Javascript Paho MQTT客户机连接到RabbitMQ Web套接字MQTT代理,它们之间将是加密http/ws连接,并提供TLS/SSL证书(也称为SSL/TLS卸载) 尝试使用HAProxy打开安全websocket连接时
global
log 127.0.0.1 local0
defaults
log global
option httplog
timeout client 5000s
timeout connect 5000s
timeout queue 5000s
timeout server 5000s
frontend https
bind *:3001 ssl crt /usr/local/etc/haproxy/mydomain.io.pem
mode http
log global
backlog 4096
default_backend web_mqtt
backend web_mqtt
mode http
option forwardfor
server ws_01 localhost:15675
我尝试使用Nginx实现相同的配置,它成功地运行了
Nginx正在侦听ws.mydomain.io:3000
server {
listen 3000 ssl;
server_name ws.mydomain.io;
ssl_certificate /home/tiago/Keys/mydomain/nginx/mydomain.io.crt;
ssl_certificate_key /home/tiago/Keys/mydomain/nginx/mydomain.io.key;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://ws-backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
upstream ws-backend {
# enable sticky session based on IP
ip_hash;
server localhost:15675;
}
RabbitMQ的配置(RabbitMQ.conf):
我在HAProxy配置中遗漏了什么
Nginx如何代理请求而HAProxy不能
设置:
- Debian 10 x64
- HAProxy 2.1.3
- Javascript Paho MQTT客户端1.1.0
- Nginx 1.14.2
- RabbitMQ 3.8.3
GET
https://ws.mydomain.io:3001/ws
[HTTP/1.1 503 Service Unavailable 3027ms]
Request URL:https://ws.mydomain.io:3001/ws
Request method:GET
Remote address:127.0.0.1:3001
Status code:
503
Version:HTTP/1.1
Response headers (126 B)
Raw headers
cache-control
no-cache
connection
close
content-length
107
content-type
text/html
Request headers (484 B)
Raw headers
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Cache-Control
no-cache
Connection
keep-alive, Upgrade
Host
ws.mydomain.io:3001
Origin
http://localhost:8123
Pragma
no-cache
Sec-WebSocket-Extensions
permessage-deflate
Sec-WebSocket-Key
XXXXXXXXXXXXXXXX==
Sec-WebSocket-Protocol
mqtt
Sec-WebSocket-Version
13
Upgrade
websocket
User-Agent
Mozilla/5.0 (X11; Linux x86_64…) Gecko/20100101 Firefox/68.0
这是firefox的消息:
Firefox can’t establish a connection to the server at wss://ws.mydomain.io:3001/ws.
他也有类似的问题。
我对haproxy不太熟悉,我不想告诉你,你做错了什么。
但我可以与您分享我的配置,它正在工作。
后端be_mqtt_www
从未使用过,因此可能没有必要
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base <path_to_certs>
crt-base <path_to_certs>
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# proxy for ui
frontend ft_rabbitmq_https
bind *:443 ssl crt <path_to_cert>
mode http
option httpclose
option forwardfor
option httpchk
default_backend bk_rabbitmq_ui
backend bk_rabbitmq_ui
server localhost 127.0.0.1:15672 check
# proxy for mqtt-tls
listen mqtt
bind *:8883 ssl crt <path_to_cert>
mode tcp
option clitcpka
timeout client 3h
timeout server 3h
option tcplog
server localhost 127.0.0.1:1883 check
#proxy for tls-websockets
frontend fe_mqtt_wss
bind *:9001 ssl crt <path_to_cert>
mode http
option http-server-close
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend be_mqtt_ws if is_websocket
default_backend be_mqtt_www
backend be_mqtt_ws
timeout server 600s
server localhost 127.0.0.1:15675/ws check
backend be_mqtt_www
timeout server 600s
server localhost 127.0.0.1:15675 check
全局
log/dev/log local0
log/dev/log local1通知
chroot/var/lib/haproxy
stats socket/run/haproxy/admin.sock mode 660级管理公开fd侦听器
统计超时30秒
用户单倍体
群单倍体
守护进程
#默认SSL材质位置
钙基
阴极射线管底座
#见:https://ssl-config.mozilla.org/#server=haproxy&server-版本=2.0.3&config=mediate
ssl默认绑定密码ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl默认绑定密码套件TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl默认绑定选项ssl最小版本TLSv1.2无tls票证
默认值
日志全局
模式http
选项httplog
选项dontlognull
选项重新修补
超时连接5000
超时客户端50000
超时服务器50000
errorfile 400/etc/haproxy/errors/400.http
错误文件403/etc/haproxy/errors/403.http
错误文件408/etc/haproxy/errors/408.http
errorfile 500/etc/haproxy/errors/500.http
错误文件502/etc/haproxy/errors/502.http
错误文件503/etc/haproxy/errors/503.http
错误文件504/etc/haproxy/errors/504.http
#用户界面代理
前端ft_rabbitmq_https
绑定*:443 ssl crt
模式http
选项httpclose
选择转发
选项httpchk
默认\u后端bk\u rabbitmq\u ui
后端bk_rabbitmq_ui
服务器本地主机127.0.0.1:15672检查
#mqtt tls的代理
听mqtt
绑定*:8883 ssl crt
模式tcp
选项clitcpka
超时客户端3h
超时服务器3h
选项tcplog
服务器本地主机127.0.0.1:1883检查
#tls WebSocket的代理
前端fe_mqtt_wss
绑定*:9001 ssl crt
模式http
选项http服务器关闭
acl是\u websocket hdr(升级)-i websocket
如果是websocket,请使用\u backend be\u mqtt\u ws
默认的\u后端是\u mqtt\u www
后端是mqtt_ws
超时服务器600s
服务器localhost 127.0.0.1:15675/ws检查
后端be_mqtt_www
超时服务器600s
服务器本地主机127.0.0.1:15675检查
也有类似的问题。
我对haproxy不太熟悉,我不想告诉你,你做错了什么。
但我可以与您分享我的配置,它正在工作。
后端be_mqtt_www
从未使用过,因此可能没有必要
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base <path_to_certs>
crt-base <path_to_certs>
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# proxy for ui
frontend ft_rabbitmq_https
bind *:443 ssl crt <path_to_cert>
mode http
option httpclose
option forwardfor
option httpchk
default_backend bk_rabbitmq_ui
backend bk_rabbitmq_ui
server localhost 127.0.0.1:15672 check
# proxy for mqtt-tls
listen mqtt
bind *:8883 ssl crt <path_to_cert>
mode tcp
option clitcpka
timeout client 3h
timeout server 3h
option tcplog
server localhost 127.0.0.1:1883 check
#proxy for tls-websockets
frontend fe_mqtt_wss
bind *:9001 ssl crt <path_to_cert>
mode http
option http-server-close
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend be_mqtt_ws if is_websocket
default_backend be_mqtt_www
backend be_mqtt_ws
timeout server 600s
server localhost 127.0.0.1:15675/ws check
backend be_mqtt_www
timeout server 600s
server localhost 127.0.0.1:15675 check
全局
log/dev/log local0
log/dev/log local1通知
chroot/var/lib/haproxy
stats socket/run/haproxy/admin.sock mode 660级管理公开fd侦听器
统计超时30秒
用户单倍体
群单倍体
守护进程
#默认SSL材质位置
钙基
阴极射线管底座
#见:https://ssl-config.mozilla.org/#server=haproxy&server-版本=2.0.3&config=mediate
ssl默认绑定密码ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl默认绑定密码套件TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl默认绑定选项ssl最小版本TLSv1.2无tls票证
默认值
日志全局
模式http
选项httplog
选项dontlognull
选项重新修补
超时连接5000
超时客户端50000
超时服务器50000
errorfile 400/etc/haproxy/errors/400.http
错误文件403/etc/haproxy/errors/403.http
错误文件408/etc/haproxy/errors/408.http
errorfile 500/etc/haproxy/errors/500.http
错误文件502/etc/haproxy/errors/502.http
错误文件503/etc/haproxy/errors/503.http
错误文件504/etc/haproxy/errors/504.http
#用户界面代理