首頁>Server>source

我们有一个具有典型配置的虛擬化服務器(esxi):

[客戶] https - >[pfsense - >haproxy] - http - >[vm]

現在我正在尝試使用gitlab配置一个新的虛擬服務器,我找不到正確的配置,在私有網路gitlab內部正常工作,但是当我尝試从外部訪問時haproxy响應503錯誤.在阅讀並尝試了几个配置後,我無法使其工作,我確信它是nginx問题(或者我认為),因為如果在同一台服務器上我安裝apache(只是為了測試)该服務器可以从外部正常工作. / p>

目標是這樣的:

[客戶] https - >[pfsense - >haproxy] - http - >[gitlab]

Pfsense有ipen埠80和443(我不確定我们是否需要打開另一个ssh或unicorn)

一些配置:

gitlab.rc
external_url 'https://mydomain.extension'

Haproxy(對其他人vms工作正常)

global
maxconn         10000
stats socket /tmp/haproxy.socket level admin
uid         80
gid         80
nbproc          1
chroot          /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param   2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
frontend http_redirectTo_https
    bind            publicIP:80 name publicIP:80   
    mode            http
    log         global
    option          httpclose
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    timeout client      30000
    redirect scheme https code 301 if !{ ssl_fc }
frontend https_input
    bind            publicIP:443 name publicIP:443 ssl ssl  crt /certs/certific.pem no-sslv3 crt /var/etc/haproxy/https_frontend.pem  
    mode            http
    log         global
    option          http-keep-alive
    timeout client      30000
    acl         aclAdm  hdr(host) -i adm.domain.ext
    acl         aclOne  hdr(host) -i one.domain.ext
    acl         aclTwo  hdr(host) -i two.domain.ext
    acl         aclGit  hdr(host) -i git.domain.ext
    use_backend adm_backend_http_ipvANY  if  aclAdm 
    use_backend one_backend_http_ipvANY  if  aclOne 
    use_backend two_backend_http_ipvANY  if  aclTwo
    use_backend git_backend_http_ipvANY  if  aclGit

我删除了其他後端

backend git_backend_http_ipvANY
    mode            http
    log         global
    balance         leastconn
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk OPTIONS / 
    option forwardfor
    option http-server-close
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    server          gitServer private_ip:80 check inter 1000

我猜問题是nginx,谢谢!

最新回復
  • 2019-9-15
    1 #

    問题是,haproxy没有檢測到服務器,所以我们怀疑健康檢查配置是錯誤的:

    option          httpchk OPTIONS /
    

    我只是將其更改為基本檢查並且haproxy正確檢測服務器,事實上,工作正常。

  • linux:Chroot SFTP - 可以允许使用者寫入当前(chroot)目錄
  • samba:如何让FreeNAS使用LDAP身份驗證?