系统:debian12
使用场景:网站反代
前提:后端站点要配置好证书,绑定域名
域名解析到安装haproxy服务器的ip上
一键脚本
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/fd-haproxy.sh && chmod +x fd-haproxy.sh && ./fd-haproxy.sh
找一台线路还不错的服务器按照以下方式进行
HAProxy的安装
apt install haproxy -y
安装完毕后,启用haproxy进程
systemctl start haproxy
systemctl enable haproxy
HAProxy的配置文件地址默认为/etc/haproxy/haproxy.cfg
接下来,我们要编辑这个文件,
nano /etc/haproxy/haproxy.cfg
配置HAProxy前后端
反代后端站点的80和443端口,仅修改后端服务器ip即可
提示:8.8.8.8为备用服务器(不需要可以注释掉),要做负载均衡,把backup
参数移除
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 30000
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# HTTPS重定向frontend (HTTP模式)
frontend http_redirect
bind *:80
mode http
option httplog
redirect scheme https code 301
# HTTPS frontend (TCP模式用于SSL透传)
frontend tcp_front_443
bind *:443
mode tcp
option tcplog
rate-limit sessions 15000
default_backend servers_443
backend servers_443
mode tcp
server web1 7.7.7.7:443 check inter 10s rise 2 fall 3
server web2 8.8.8.8:443 check inter 10s rise 2 fall 3 backup
验证格式是否正确:
haproxy -c -f /etc/haproxy/haproxy.cfg
重启生效
systemctl restart haproxy
检查状态
systemctl status haproxy
添加安全头
可选,在后端站点,例如站点nginx配置中添加以下参数
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
获取客户端真实ip
第一步:haproxy启用PROXY协议v2,例如
backend web_servers
mode tcp
balance roundrobin
server web1 192.168.1.100:443 send-proxy-v2
# send-proxy-v2 启用PROXY协议v2
第二步:修改站点nginx配置文件
mkdir -p /home/wwwroot/lnmp01/vhost/cf_real_ip
nano /home/wwwroot/lnmp01/vhost/cf_real_ip/cloudflare.conf
复制
# Cloudflare IP ranges
# HAProxy IP
set_real_ip_from 你的HAProxy服务器IP;
# Cloudflare IPv4
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
# Cloudflare IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
站点配置
listen 443 ssl http2 proxy_protocol;
include /home/wwwroot/lnmp01/vhost/cf_real_ip/cloudflare.conf;
real_ip_header proxy_protocol;
最后重启nginx生效