stunnel+haproxy SSL以及问题记录
2011-04-06 18:03
288 查看
最近在用stunnel做透明代理,配合haproxy做ssl方案,在用户和原有的反向代理之间加入stunnel,这样可以让用户和stunnel之间走ssl,stunnel之后的真实web就不用负担https的开销。
记录一下配置过程和问题,以下安装方式在centos和ubuntu上都配置通过:
首先先去stunnel官网上获取安装包,因为要给stunnel打haproxy的补丁,而haproxy官方提供的补丁目前版本是4.32的,所以stunnel选择4.32版本,官方提供的ftp上可以找到ftp://ftp.stunnel.org/stunnel/obsolete/4.x/,这里使用rsync同步对应的版本:
[code]wget'target='_blank'>http://haproxy.1wt.eu/download/patches/stunnel-4.32-xforwarded-for.diff[/code]
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
在上述过程中如果出现"Couldn'tfindyourSSLlibraryinstallationdir",是缺少openssl,安装后在进行上述过程即可:
或:
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
配置stunnel.conf:
[code]fips=no
[/code]
-----------------------------------------------------------------------------
搞定上面的步骤就可以运行了:
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
在运行stunel的时候若出现routines:FIPS_mode_set:fingerprintdoesnotmatch错误,可以通过设置上述参数fips=no解决。若出现nobody权限,可设置:
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
-------------------------------------------------------------------------------
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
若是现有的证书导入pfx和CA(配置文件中设置对应的CAfile参数):
[code]//cer转pem
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
通常为了简化证书的使用,我们会签发或购买如*.xxx.org的证书,这样二级域名下的站点都可共用,要注意的是*.*.xxx.org是无效的
-------------------------------------------------------------------------------
可以区分ip,ip+端口来代理
简单高效,系统利器:)
http://haproxy.1wt.eu/download/1.4/src/
以centos5安装为例:
[code]tar-zxvfhaproxy-1.4.9.tar.gz
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
http://www.stunnel.org/?page=faq
http://www.daniweb.com/hardware-and-software/microsoft-windows/web-browsers/threads/50765
stunnel做了兼容,不过没有附上具体的解决方法,下面是解决方法,修改一下stunnel.conf配置文件即可:
[code]options=DONT_INSERT_EMPTY_FRAGMENTS
[/code]
顺便列一下IE6支持的加密方式以供选择(完整的可到openssl官网上查找):
[code]SSL_RSA_WITH_RC4_128_SHA
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
选取合适的加密算法即可,可以通过log来查看算法加载是否成功:
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
上图说明ciphers设置不正确,还要注意的是配置文件中的sslVersion会影响相关算法的匹配
-------------------------------------------------------------------------------------------------------
由于客户端到stuunel是ssl,haproxy到web走的是http,也就是说实际请求的url是http的,为了让web端能知晓客户端请求的url是http还是https,可通过如下配置:
[code]optionhttpclose
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
在web端可通过获取requestheader[“X-Forwarded-Proto”]来分辨
需要注意的是关于httpclose配置:若没有此项,只有第一次请求才会传递X-Forwarded,开启此项则无法keepalive,如无法windows验证
-------------------------------------------------------------------------------------------------------
记录一下配置过程和问题,以下安装方式在centos和ubuntu上都配置通过:
首先先去stunnel官网上获取安装包,因为要给stunnel打haproxy的补丁,而haproxy官方提供的补丁目前版本是4.32的,所以stunnel选择4.32版本,官方提供的ftp上可以找到
rsync.stunnel.org::stunnel/obsolete/4.x/stunnel-4.32.tar.gzstunnel-4.32.tar.gz
[code]wget
tar-zxvfstunnel-4.32.tar.gz
cdstunnel-4.32
patch-p1<../stunnel-4.32-xforwarded-for.diff
./configure
make&&makeinstall
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
在上述过程中如果出现"Couldn'tfindyourSSLlibraryinstallationdir",是缺少openssl,安装后在进行上述过程即可:
apt-getinstalllibcurl3-openssl-dev
或:
yuminstallopenssl-devel
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
配置stunnel.conf:
sslVersion=all
[code]fips=no
cert=/usr/local/etc/stunnel/stunnel.pem
CAfile=/usr/local/etc/stunnel/cacert.pem
pid=/var/run/stunnel.pid
setuid=root
setgid=root
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
output=/var/log/stunnel.log
[https]
accept=443
connect=127.0.0.1:8080
TIMEOUTclose=0
xforwardedfor=yes
[/code]
-----------------------------------------------------------------------------
搞定上面的步骤就可以运行了:
stunnel
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
在运行stunel的时候若出现routines:FIPS_mode_set:fingerprintdoesnotmatch错误,可以通过设置上述参数fips=no解决。若出现nobody权限,可设置:
chmod755/var/run/stunnel/
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
-------------------------------------------------------------------------------
关于ssl证书
使用自己签发的证书:opensslreq-new-x509-days365-nodes-outstunnel.pem-keyoutstunnel.pem
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
若是现有的证书导入pfx和CA(配置文件中设置对应的CAfile参数):
openssl
[code]//cer转pem
openssl>x509-incacert.cer-outcacert.pem
//pfx转pem
openssl>pkcs12-instunnel.pfx-outstunnel.pem-nodes
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
通常为了简化证书的使用,我们会签发或购买如*.xxx.org的证书,这样二级域名下的站点都可共用,要注意的是*.*.xxx.org是无效的
-------------------------------------------------------------------------------
其他
stunnel只能对linux机器进行代理可以区分ip,ip+端口来代理
简单高效,系统利器:)
顺便附带haproxy安装:
在这里找你要安装的版本以centos5安装为例:
wgethttp://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.9.tar.gz
[code]tar-zxvfhaproxy-1.4.9.tar.gz
cdhaproxy-1.4.9
makeTARGET=linux26PREFIX=/usr/local/
makeinstallPREFIX=/usr/local/
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
一些实际应用中的问题和解决方法
IE6下使用SSL通道时出现“Pagecannotload”问题,是由于openssl支持的问题,官方有一段FAQ:stunnel做了兼容,不过没有附上具体的解决方法,下面是解决方法,修改一下stunnel.conf配置文件即可:
ciphers=RC4-SHA
[code]options=DONT_INSERT_EMPTY_FRAGMENTS
[/code]
顺便列一下IE6支持的加密方式以供选择(完整的可到openssl官网上查找):
SSL_RSA_WITH_RC4_128_MD5
[code]SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_RC4SSL2_CK_3DES
SSL2_CK_RC2SSL_RSA_WITH_DES_CBC_SHA
SSL2_CK_DESSSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
选取合适的加密算法即可,可以通过log来查看算法加载是否成功:
tail-f/var/log/stunnel.log
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
上图说明ciphers设置不正确,还要注意的是配置文件中的sslVersion会影响相关算法的匹配
-------------------------------------------------------------------------------------------------------
由于客户端到stuunel是ssl,haproxy到web走的是http,也就是说实际请求的url是http的,为了让web端能知晓客户端请求的url是http还是https,可通过如下配置:
optionforwardfor
[code]optionhttpclose
reqaddX-Forwarded-Proto:\https
[/code]
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
在web端可通过获取requestheader[“X-Forwarded-Proto”]来分辨
需要注意的是关于httpclose配置:若没有此项,只有第一次请求才会传递X-Forwarded,开启此项则无法keepalive,如无法windows验证
-------------------------------------------------------------------------------------------------------
xp系统ie打补丁后,导致https无法打开的问题:
http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=6429fd02-8138-4919-9942-80d62ecef22e&DisplayLang=zh-cn
相关文章推荐
- stunnel+haproxy SSL以及问题记录
- 对LMAX架构以及Event Sourcing模式的一些新思考和问题的记录
- Entity Framework安装以及错误(基础连接已经关闭:未能为SSL/TLS……)问题解决!
- 最近碰到的一些 SSL 问题记录
- Xcode8以及iOS10问题记录
- lnmp Proftpd 无法登陆以及 安装Discuz问题记录
- CentOs下安装Php的过程记录以及发现的问题和解决办法
- Lucene.net(4.8.0) 学习问题记录四: IndexWriter 索引的优化以及思考
- haproxy、nginx以及httpd负载均衡tomcat主机,session保持问题
- oracle单机安装记录以及相关问题解决
- 记录第一次服务器出现问题的过程以及心情
- 下拉刷新加载聊天记录出现的问题以及解决方法
- 使用gyp构建项目,使用ninja更快的编译,以及使用出现和解决的问题记录
- 摩托罗拉SE4500 三星 S3C6410 Wince6.0平台软解码调试记录以及驱动相关问题解释
- 从今天开始记录一下每天学到的Android知识、以及开发中遇到的问题
- 点击微信输入框页面放大以及页面布局等若干问题的记录
- Entity Framework4.3安装以及错误(基础连接已经关闭:未能为SSL/TLS……)问题解决!
- Openfire 服务器搭建问题记录(重新配置以及修改管理员密码)