Команда привязки haproxy для включения шифра в файл haproxy.cfg
I am configuring the haproxy.cfg file for haproxy. i need to add cipher suite in this file. for that i am using bind command. My bind command is as below.
bind 0.0.0.0:443 ssl crt /etc/ssl/certs/private1.pem nosslv3 шифры предпочитаемых серверов-шифров TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH с командой bind bind *:443 это работает нормально. как только я добавляю другие аргументы, это вызывает ошибку.
After including this command in haproxy.cfg file and restarting the haproxy service. i am getting the error.
** [ALERT] 164/074924 (31084): анализ [/etc/haproxy/haproxy.cfg:80]: "bind" поддерживает только "прозрачный", "defer-accept", "имя", "id", Параметры "mss" и "interface". [ALERT] 164/074924 (31084): в файле конфигурации обнаружены ошибки: /etc/haproxy/haproxy.cfg [ALERT] 164/074924 (31084): в конфигурации обнаружены неустранимые ошибки. Ошибки в конфигурационном файле, проверьте с помощью haproxy check. **
For resolving this issue i tried to install "libssl-dev" package. but i am not able to install that package also.
**Please guide me to do this. and i need to know is it neccesary to give the pem file entry in bind, or i can directly include cipher itself like this.
bind *:8443 ciphers TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH**
Appending my haproxy.cfg file below.
**#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
frontend inbound
mode http
bind 0.0.0.0:443 ssl crt /etc/ssl/certs/private1.pem nosslv3 prefer-server-ciphers ciphers TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend postgresqlcluster1
mode http
balance roundrobin
server postgres1 192.44.9.101:8080 check**
1 ответ
Вам нужно использовать 1.5-dev19+ (текущий 15.-dev26), чтобы использовать любую из функций ssl; Судя по ошибке и отрывку конфигурации, похоже, что вы используете 1.4.