UCloud ULB负载均衡https解决方案
一、UCloud ULB简介
ULB(UCloud Load Balancer)是UCloud提供的负载均衡服务,能够为多个主机或其它服务实例提供基于网络报文或代理方式的流量分发功能。在高并发服务环境下,通过ULB构建由多个服务节点组成的服务集群。服务集群能够扩展服务的处理及容错能力,并自动消除由于单一服务节点故障对服务整体的影响,提高服务的可用性。
ULB针对七层[请求代理型]协议支持HTTP、HTTPS协议(类Nginx或HAproxy);四层协议[报文转发型]支持TCP协议及UDP协议(类LVS)。
功能支持:
(1)请求代理:支持SSL卸载、域名转发、路径转发;支持HTTP、HTTPS、TCP协议;支持IPv4、IPv6网络。
(2)报文转发:支持高性能的转发模式;支持TCP、UDP协议;支持IPv4网络。
官网介绍:https://docs.ucloud.cn/ulb/README
背景:业务生产环境中有使用HTTPS加密站点或系统的需求,所以会出现HTTP强制跳转HTTPS的场景。由于UCloud ULB暂不支持HTTP向HTTPS的直接跳转功能。所以需要通过其它方式实现。下面就让我们一起探讨一下~
二、HTTP跳转HTTPS的实现
2.1 准备工作
(1)免费SSL证书申请
UCloud免费证书申请:https://console.ucloud.cn/ussl/ussl
UCloud官网介绍:https://docs.ucloud.cn/ussl/README
(2)Nginx服务部署
[root@10-27-0-224 ~]# yum install nginx -y
(3)测试页面准备
[root@10-27-0-224 ~]# mkdir -p /data/nginx/www/html [root@10-27-0-224 ~]# mkdir /data/ssl [root@10-27-0-224 ~]# cd /data/ssl/ [root@10-27-0-224 ssl]# ll total 8 -rw-r--r-- 1 root root 1675 Aug 8 09:18 private.key -rw-r--r-- 1 root root 3903 Aug 8 09:18 public.pem [root@10-27-0-224 ~]# vim /data/nginx/www/html/index.html HTTP->HTTPS
2.2 ULB请求代理模式
HTTP跳转HTTPS方案一
目前UCloud ULB7已经支持重定向功能,直接在ULB侧就能实现HTTP向HTTPS的强制跳转!!!!
HTTP跳转HTTPS方案二
(1)部署架构图
方案:ULB HTTPS(443)- RS HTTP(81);ULB HTTP(80)- RS (80)- Rewrite(443);黄色部分为部署证书位置,证书部署在哪,HTTPS的加密、解密就在哪,另外,连线两端不能同时部署证书,否则会报错!!!
(2)证书配置到ULB
上传证书:https://console.ucloud.cn/ulb/certificate
(3)创建请求代理ULB
https://console.ucloud.cn/ulb/create
(4)配置RS节点
# 配置81 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx81.conf server { listen 81; listen [::]:81; server_name ssl.starcto.com; root /data/nginx/www/html; } # 配置80 -443 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx443.conf server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ssl.starcto.com; root /data/nginx/www/html/; ssl_certificate "/data/ssl/public.pem"; ssl_certificate_key "/data/ssl/private.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx80.conf server { listen 80; listen [::]:80; server_name ssl.starcto.com; root /data/nginx/www/html; rewrite ^(.*)$ https://$host$1 permanent; }
(5)效果验证
HTTP跳转HTTPS方案三
(1)部署架构图
方案:ULB HTTPS(443)- RS HTTP(80);ULB HTTP(80)- RS (80)- Rewrite(443);黄色部分为部署证书位置,证书部署在哪,HTTPS的加密、解密就在哪,另外,连线两端不能同时部署证书,否则会报错!!!
(2)证书部署到RS节点配置
# 443 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx443.conf server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ssl.starcto.com; root /data/nginx/www/html/; ssl_certificate "/data/ssl/public.pem"; ssl_certificate_key "/data/ssl/private.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } # 配置80 -443 [root@10-27-0-224 ~]# cat /etc/nginx/conf.d/nginx80.conf server { listen 80; listen [::]:80; server_name ssl.starcto.com; root /data/nginx/www/html; if ($http_x_forwarded_proto = http){ #差异点 rewrite ^(/.*)$ https://$host$1 redirect; } }
# 注意强制跳转判定条件写成如下两种都会被无限重定向 # if ($scheme = http ) { # rewrite ^(/.*)$ https://$host$1 redirect; # } # 或者 # if ($server_port != 443 ) { # rewrite ^(/.*)$ https://$host$1 redirect; # }
ULB7 HTTP模式下传递$http_x_forwarded_proto到后端RS,然后根据这个判断最初请求过来的是http。还是https,然后把最初是http的跳到https,最初是https的不动。
(3)效果验证
【注意】方案一和方案二的差异,方案一,如果443直接指向80,会出现异常重定向。
HTTP跳转HTTPS方案三
(1)部署架构图
方案:ULB TCP(443)- RS HTTPS(443);ULB HTTP(80)- RS (80)- Rewrite(443);黄色部分为部署证书位置,证书部署在哪,HTTPS的加密、解密就在哪,另外,连线两端不能同时部署证书,否则会报错!!!
(2)证书部署到RS节点配置
# 443 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx443.conf server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ssl.starcto.com; root /data/nginx/www/html/; ssl_certificate "/data/ssl/public.pem"; ssl_certificate_key "/data/ssl/private.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } # 配置80 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx80.conf server { listen 80; listen [::]:80; server_name ssl.starcto.com; root /data/nginx/www/html; rewrite ^(.*)$ https://$host$1 permanent; }
(3)效果验证
2.3 ULB报文转发模式
(1)部署架构图
方案:ULB TCP(443)- RS HTTPS(443);ULB TCP(80)- RS (80)- Rewrite(443);黄色部分为部署证书位置,证书部署在哪,HTTPS的加密、解密就在哪,另外,连线两端不能同时部署证书,否则会报错!!!
(2)报文转发模式RS特殊配置
官网介绍:https://docs.ucloud.cn/ulb/guide/realserver/editrealserver
# 创建虚拟网卡配置文件 [root@10-27-0-224 ~]# touch /etc/sysconfig/network-scripts/ifcfg-lo:1 # 修改虚拟网卡配置文件 [root@10-27-0-224 ~]# vim /etc/sysconfig/network-scripts/ifcfg-lo:1 DEVICE=lo:1 IPADDR=152.32.207.23 NETMASK=255.255.255.255 # 启动网卡 [root@10-27-0-224 ~]# ifup lo:1
【注】上述步骤必须配置,否则会出现健康检查失败,ULB请求无法正常转发的情况。
(3)证书部署到RS节点配置
# 443 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx443.conf server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ssl.starcto.com; root /data/nginx/www/html/; ssl_certificate "/data/ssl/public.pem"; ssl_certificate_key "/data/ssl/private.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } # 配置80 [root@10-27-0-224 ~]# vim /etc/nginx/conf.d/nginx80.conf server { listen 80; listen [::]:80; server_name ssl.starcto.com; root /data/nginx/www/html; rewrite ^(.*)$ https://$host$1 permanent; }
(4)效果验证
三、获取客户端真实IP
3.1 请求代理模式
请求代理模式下,HTTP协议中,ULB已经默认开启了x-Forwarded-For、X-Forwarded-Proto和X-Forward-SrcPort选项,可以从HTTP报头中中获取客户端的源地址、客户端与负载均衡之间的应用层协议和客户端端口。TCP协议无法返回源地址。所以2.2 ULB请求代理模式,方案三 ULB 443TCP模式无法获取客户端真实IP地址。
(1)请求代理型负载均衡TCP和HTTP差异
1、TCP:接收请求,选择后端节点,连接后端节点,转发内容;可以将上层其他协议的报文直接转发至后端服务节点。
2、HTTP:接收请求,解析请求,根据转发规则选择服务节点集群,根据ULB算法选择后端服务节点,连接服务节点,接收响应,解析响应头,添加适当的响应头(如Set-cookie等),返回响应内容给客户端。
(2)Nginx获取客户端真实IP配置案例
[root@10-27-0-224 ~]# vim /etc/nginx/nginx.conf …… http { log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"proto":"$scheme",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"xf_proto":"$http_x_forwarded_proto",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}'; access_log /var/log/nginx/ssl.starcto.access.log access_json; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/*.conf; }
(3)效果展示
[root@10-27-0-224 ~]# tail -f /var/log/nginx/ssl.starcto.access.log {"@timestamp":"2021-08-30T00:43:51-05:00","host":"10.27.0.224","clientip":"10.27.251.37","proto":"http","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"ssl.starcto.com","uri":"/index.html","domain":"ssl.starcto.com","xff":"106.75.231.26","xf_proto":"https","referer":"-","tcp_xff":"-","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36","status":"304"} {"@timestamp":"2021-08-30T00:44:08-05:00","host":"10.27.0.224","clientip":"10.27.251.37","proto":"http","size":145,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"ssl.starcto.com","uri":"/","domain":"ssl.starcto.com","xff":"106.75.231.26","xf_proto":"http","referer":"-","tcp_xff":"-","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36","status":"302"} {"@timestamp":"2021-08-30T00:44:16-05:00","host":"10.27.0.224","clientip":"10.27.251.37","proto":"http","size":0,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"ssl.starcto.com","uri":"/index.html","domain":"ssl.starcto.com","xff":"106.75.231.26","xf_proto":"https","referer":"-","tcp_xff":"-","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36","status":"304"} {"@timestamp":"2021-08-30T00:44:16-05:00","host":"10.27.0.224","clientip":"205.185.115.135","proto":"http","size":153,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"107.155.48.73","uri":"/boaform/admin/formLogin","domain":"107.155.48.73","xff":"-","xf_proto":"-","referer":"http://107.155.48.73:80/admin/login.asp","tcp_xff":"-","http_user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0","status":"404"} {"@timestamp":"2021-08-30T00:44:16-05:00","host":"10.27.0.224","clientip":"205.185.115.135","proto":"http","size":0,"responsetime":0.091,"upstreamtime":"-","upstreamhost":"-","http_host":"ssl.starcto.com","uri":"-","domain":"ssl.starcto.com","xff":"-","xf_proto":"-","referer":"-","tcp_xff":"-","http_user_agent":"-","status":"400"}
3.2 报文转发模式
报文转发模式下,后端服务节点收到的请求的源地址就是实际的源地址。
请求代理型TCP和报文转发型TCP的差异:
1、请求代理:需要维护客户端到ULB和ULB到后端服务节点的两个TCP连接(需要经历两次TCP握手)。
2、报文转发:只需要对报文的解析和转发,少去了连接建立的开销,报文转发的效率高于请求代理模式多个数量级,但具有以下限制:
(1)ULB只会修改目的MAC地址,不支持后端服务节点监听不同的端口,如果监听端口与服务接收端口不一致,会导致数据传输出错。
(2)后端服务节点必须配置ULB的服务IP地址。
如果没有在一个服务节点上监听多个端口的需求,则可选择报文转发模式,转发性能占优。
作者:UStarGao
链接:https://www.starcto.com/service_operations/201.html
来源:STARCTO
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
UCloud云平台推荐
随便看看
- 2021-02-11Linux 安装Python2与Python3
- 2022-03-08Linux SSH的SSL弱加密算法漏洞修复
- 2021-12-21MySQL5.7执行count(*)比MySQL5.6执行更慢
- 2022-03-31MongoDB分片集群安装部署教程
- 2021-06-28Linux 升级内核方法