Page History

При одновременной балансировке сервер HAProxy будет принимать запросы и как веб-сервер на адреса core, и как RDS сервер.

Необходимо указать адрес HAProxy в файлах:

Code Block

language	js
title	C:\inetpub\wwwroot\pam\mc\assets\config\config.prod.json

"core":  {
   "url":  "https://haproxy.domain.local/pam/core"
},
"idp":  {
   "url":  "https://haproxy.domain.local/pam/idp",
   "requireHttps":  true
},

Code Block

language	js
title	C:\inetpub\wwwroot\pam\uc\assets\config\config.prod.json

"core":  {
   "url":  "https://haproxy.domain.local/pam/core"
},
"idp":  {
   "url":  "https://haproxy.domain.local/pam/idp",
   "requireHttps":  true
},

Code Block

language	js
title	C:\Program Files\Indeed\Indeed PAM\Gateway\ProxyApp\appsettings.json

"Core":  {
  "Url":  "https://haproxy.domain.local/pam/core"
},
"Auth":  {
  "IdpUrl":  "https://haproxy.domain.local/pam/idp",

Code Block

language	js
title	C:\Program Files\Indeed\Indeed PAM\SSH Proxy\appsettings.json

"Settings":  {
  "CoreUrl":  "https://haproxy.domain.local/pam/core",
  "IdpUrl":  "https://haproxy.domain.local/pam/idp",
...
}

Таким образом, в конфигурации HAProxy должны быть настроены отдельные frontend и backend для каждого сервиса.

Для двух PAM Core и двух PAM Gateway конфигурация HAProxy представлена ниже:

Code Block

language	js

global
    log		/dev/log local2 debug
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
    stats timeout 30s
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM
    ssl-dh-param-file /etc/haproxy/dhparams.pem

defaults
    mode		tcp
    log                     global
    option                  httplog
    option                  dontlognull
    option                  redispatch
    balance	            roundrobin
    retries                 3
    timeout connect         10s
    timeout client          1h
    timeout server          1h

listen stats
    mode http
    bind *:8888 ssl crt /etc/haproxy/haproxydomainlocal.pem
    stats enable
    timeout client	5m
    timeout server	5m
    stats realm Haproxy\ Statistics
    stats uri /haproxy
    stats auth stat:stat
    stats hide-version
    stats refresh 3s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend frontend_pam
    mode http
    bind *:443 ssl crt /etc/haproxy/haproxydomainlocal.pem
    option forwardfor
    acl url_core path_beg /pam/core
    use_backend backend_api if url_core
    acl url_idp path_beg /pam/idp
    use_backend backend_idp if url_idp
    acl url_mc path_beg /pam/mc
    use_backend backend_mc if url_mc
    acl url_uc path_beg /pam/uc
    use_backend backend_uc if url_uc

frontend frontend_sshp
    mode tcp
    bind *:22  # порт не должен совпадать с изначальным SSH портом данной Linux машины
    log global
    option tcplog
    default_backend backend_sshp

frontend frontend_gw
    mode tcp
    bind *:3389
    log global
    option tcplog
    tcp-request inspect-delay 2000
    tcp-request content accept if RDP_COOKIE
    default_backend backend_gw

#---------------------------------------------------------------------
# balancing between the various backends
#---------------------------------------------------------------------
backend backend_sshp
    mode tcp
    balance leastconn
    option tcp-check
    log global
    tcp-check connect port 22
    timeout server 30m
    timeout connect 5000
    server  gw1 gw1.domain.local:22 weight 10 check verify required    ca-file /path/ca-cert.crt
    server  gw2 gw2.domain.local:22 weight 10 check verify required  backend ca-file /path/ca-cert.crt

backend backend_api
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/core/health
    server srv1 srv1.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_idp
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/idp
    server srv1 srv1.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_mc
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/mc
    server srv1 srv1.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_uc
    mode http
	balance source
    option prefer-last-server
    option httpchk GET /pam/uc
    server srv1 srv1.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3
    server srv2 srv2.domain.local:443 ssl verify required ca-file /path/ca-cert.crt check inter 3000 fall 3

backend backend_gw
    mode tcp
    balance leastconn
    option tcp-check
    log global
    tcp-check connect port 3389
    stick-table type ip size 1m expire 12h
    stick on src
    default-server inter 3000 rise 2 fall 3
    server  gw1 gw1.domain.local:3389 weight 10 check verify required    ca-file /path/ca-cert.crt
    server  gw2 gw2.domain.local:3389 weight 10 check verify required   ca-file /path/ca-cert.crt

Page tree

Versions Compared

Old Version 8

New Version Current

Key