Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

При одновременной балансировке сервер HAProxy будет принимать запросы и как веб-сервер на адреса apicore, и как RDS сервер.

Необходимо указать адрес HAProxy в файлах:

Code Block
"apiServer"core":  {
   "url":  "https://haproxy.domain.local/pam/core"
"idp":  {
   "url":  "https://haproxy.domain.local/api"/pam/idp",
   "requireHttps":  true

Code Block
"apiServercore":  {
   "url":  "https://haproxy.domain.local/apipam/core"
"gatewayServeridp":  {
   "addressurl":  "https://haproxy.domain.local/pam/idp",
   "requireHttps":  true

Code Block
titleC:\Program Files\Indeed\inRights Indeed PAM\Gateway\ProxyApp\Pam.Proxy.App.exeappsettings.json
"Core":  {
  "Url":  <pamProxy ApiUrl="https://haproxy.domain.local/api" IdpUrl=pam/core"
"Auth":  {
  "IdpUrl":  "https://pam1haproxy.domain.local/pam/idp",

Code Block
titleC:\Program Files\Indeed\Indeed PAM\SSH Proxy\appsettings.json
"Settings":  {
  "CoreUrl":  "https://haproxy... FileCopyMinBytesToSave="1048576" />
  "IdpUrl":  "https://haproxy.domain.local/pam/idp",

Таким образом, в конфигурации HAProxy должны быть настроены отдельные frontend и backend для каждого сервиса.

Для двух PAM Core и двух PAM Gateway конфигурация HAProxy представлена ниже:

Code Block
    log		/dev/log local2 debug
    chroot      /var/lib/haproxy
    pidfile     /var/run/
    maxconn     4000
    user        haproxy
    group       haproxy
    stats socket /var/lib/haproxy/stats
    stats timeout 30s
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM
    ssl-dh-param-file /etc/haproxy/dhparams.pem

    mode		tcp
    log                     global
    option                  httplog
    option                  dontlognull
    option                  redispatch
    balance	            roundrobin
    retries                 3
    timeout connect         10s
    timeout client          1h
    timeout server          1h

listen stats
    mode http
    bind *:8888 ssl crt /etc/haproxy/haora8testcomhaproxydomainlocal.pem
    stats enable
    timeout client	5m
    timeout server	5m
    stats realm Haproxy\ Statistics
    stats uri /haproxy
    stats auth stat:stat
    stats hide-version
    stats refresh 3s

# main frontend which proxys to the backends
frontend frontend_pam
    mode http
    bind *:443 ssl crt /etc/haproxy/haora8testcomhaproxydomainlocal.pem
    option forwardfor
    acl url_core path_beg /pam/core
    use_backend backend_api if url_core
    acl url_idp path_beg /pam/idp
    use_backend backend_idp if url_idp
    acl url_mc path_beg /pam/mc
    use_backend backend_mc if url_mc
    acl url_uc path_beg /pam/uc
    use_backend backend_uc if url_uc

frontend frontend_sshp
    mode tcp
    bind *:22022  # порт не должен совпадать с изначальным SSH портом данной Linux машины
    log global
    option tcplog
    default_backend backend_sshp

frontend frontend_gw
    mode tcp
    bind *:3389
    log global
    option tcplog
    tcp-request inspect-delay 2000
    tcp-request content accept if RDP_COOKIE
    default_backend backend_gw

# balancing between the various backends
backend backend_sshp
    mode tcp
    balance leastconn
    option tcp-check
    log global
    tcp-check connect port 22
    timeout server 30m
    timeout connect 5000
    server  gw1 gw1.testdomain.comlocal:22 weight 10 check verify nonerequired ca-file /path/ca-cert.crt
    server  gw2 gw2.testdomain.comlocal:22 weight 10 check verify none required ca-file /path/ca-cert.crt

backend backend_api
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/core/health
    server srv1 srv1.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_idp
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/idp
    server srv1 srv1.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_mc
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/mc
    server srv1 srv1.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.testdomain.comlocal:443 ssl verify nonerequired ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_uc
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/uc
    server srv1 srv1.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.testdomain.comlocal:443 ssl verify none required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_gw
    mode tcp
    balance leastconn
    option tcp-check
    log global
    tcp-check connect port 3389
    stick-table type ip size 1m expire 12h
    stick on src
    default-server inter 3000 rise 2 fall 3
    server  gw1 gw1.testdomain.comlocal:3389 weight 10 check verify none required ca-file /path/ca-cert.crt
    server  gw2 gw2.testdomain.comlocal:3389 weight 10 check verify none

required ca-file /path/ca-cert.crt