小贝子编程

如何把haproxy放在套接字前面.使用SSL?获得混合内容警告



我一直使用这个设置将haproxy放在node.js和socket.io前面。

haproxy设置中的一些代码:

frontend wwws
    bind 0.0.0.0:443 ssl crt /etc/haproxy/ovee.pem
    timeout client 1h
    default_backend www_backend
    acl is_websocket hdr(Upgrade) -i WebSocket
    use_backend websocket_backend if is_websocket
    tcp-request inspect-delay 500ms
    tcp-request content accept if HTTP
    use_backend flashsocket_backend if !HTTP
frontend flash_policy
    bind 0.0.0.0:843
    timeout client 5s
    default_backend nodejs_flashpolicy
backend www_backend
    balance roundrobin
    option forwardfor
    server apache2 apache-backend:3001 weight 1 maxconn 1024 check  
    timeout connect 5s
    timeout http-request 3s
    timeout server 25s
backend websocket_backend
    mode http
    option forwardfor
    option http-server-close
    option forceclose
    no option httpclose
    server server1 socket-backend:3000 weight 1 maxconn 16384 check

nodeServer.js 

var fs =    require('fs');
var express = require('express'), 
app = express(), 
http = require('http').createServer(app), 
io = require("socket.io").listen(http),

它似乎在第一次连接时工作得很好,但随后浏览器阻止了Mixed Content的所有套接字连接尝试。

The page at 'https://domain.com/391' was loaded over HTTPS, 
 but requested an insecure XMLHttpRequest endpoint 
'http://domain.com:3000/socket.io/?EIO=3&transport=polling&t=1456666556035-0'. 
 This request has been blocked; the content must be served over HTTPS.

我知道这是由于我的连接插座。用Http代替Https

client.js 

socket = io.connect('http://domain.com:3000', {
  'force new connection': false,
  'reconnection delay': 500,
  'max reconnection attempts': 10
}),

我已经尝试使用SSL noserver .js,但不连接到套接字,我不认为这是必要的,因为我使用haproxy做所有的转发:

在noserver .js中,我改成:

var fs =    require('fs'),
sslOption = {
    key:    fs.readFileSync('/ssl/crt/zz.key'),
    cert:   fs.readFileSync('/ssl/crt/zz.crt'),
    ca:     fs.readFileSync('/ssl/crt/zz-ca.crt'),
    requestCert: true
},
express = require('express'), 
app = express(), 
https = require('https').createServer(app), 
io = require("socket.io").listen(https),

client.js 

socket = io.connect('https://domain.com:3000', {
  'force new connection': false,
  'reconnection delay': 500,
  'max reconnection attempts': 10
}),

有没有人把haproxy放在node.js和socket.io前面?我应该用什么来连接到插座?从client.js的IO ?

我已经设法解决了这个问题。我不应该在client.js中使用https:domain.com:3000。我应该让haproxy进行SSL转发。下面是使SSL与socket.io一起工作的设置。我希望偶然发现它的人能纠正任何过时或错误的地方:

frontend www
    bind 0.0.0.0:80
    mode http
    timeout client 5s
    redirect scheme https if !{ ssl_fc }
    acl is_socket hdr(Upgrade) -i WebSocket
    acl is_socket hdr_beg(Host) -i wss
    use_backend socket if is_socket
frontend www-https
   bind 0.0.0.0:443 ssl crt /ssl/domain.pem
   timeout client  1h

   ### Set up a check to identify the connection url initated by socket.io https://domain.com/socket.io/?EIO=3&transport=polling&t=1441877956651, if matched, forward to node backend
   acl is_node path_beg /socket.io/ 
   use_backend node if is_websocket

   ### I'm not sure if this one is necessary for wss://domain.com
   acl is_websocket2 hdr(Upgrade) -i WebSocket
   acl is_websocket2 hdr_beg(Host) -i ws
   use_backend socket if is_websocket2
   default_backend apache2
   tcp-request inspect-delay 500ms
   tcp-request content accept if HTTP
   use_backend flashsocket_backend if !HTTP

frontend flash_policy
    bind 0.0.0.0:843
    timeout client 5s
    default_backend nodejs_flashpolicy
###  setting for apache, skipped because it's not the focus of the question 
backend apache
### 
backend flashsocket_backend
    server server1 ipaddress:3000 weight 1 maxconn 16384 check
backend nodejs_flashpolicy
    server server1 ipaddress:10843 maxconn 16384 check

backend node
    mode http 
    timeout server 1h
    timeout connect 1s  
    option httpclose
    option forwardfor
    server server1 ipaddress:3000 weight 1 maxconn 1024 check

backend socket
    balance roundrobin
    option forwardfor
    option httpclose
    timeout queue 5000
    timeout server 86400000
    timeout connect 86400000
    server server1 127.0.0.1:9000 weight 1 maxconn 1024 check

然后在client.js中,我将连接地址更改为:

socket = io.connect('https://domain.com', {
  'force new connection': false,
  'reconnection delay': 500,
  'max reconnection attempts': 10,
})

使用'https://domain.com'而不是'http://domain.com:3000',这样连接将首先传递给ha-proxy。

nodeServer.js中没有什么需要改变的。继续使用http, Haproxy将为您完成所有SSL转发。

var fs =    require('fs'),
express = require('express'), 
app = express(), 
http = require('http').createServer(app), 
io = require("socket.io").listen(http),

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium