介绍
使用软件层面做ADFS 反向代理以及负载均衡
需求准备
- 2 Ubuntu 20.04 Servers
- 3 available IP Addresses (Here we are using the 10.0.0.0/24 subnet)
- 10.0.0.100 for keepalived
- 10.0.0.101 for the MASTER server
- 10.0.0.102 for the BACKUP server
- An ADFS Cluster
Keepalived 配置
MASTER: /etc/keepalived/keepalived.conf
global_defs {router_id haproxyenable_script_security}vrrp_script chk_haproxy {script "/usr/bin/pgrep haproxy"interval 2weight 2}vrrp_instance haproxy {interface ens160state MASTER# MASTER requires a higher priority number than the SLAVEpriority 101virtual_router_id 51authentication {auth_type AHauth_pass 12345678}virtual_ipaddress {10.0.0.100}track_script {chk_haproxy}}
BACKUP: /etc/keepalived/keepalived.conf
global_defs {router_id haproxyenable_script_security}vrrp_script chk_haproxy {script "/usr/bin/pgrep haproxy"interval 2weight 2}vrrp_instance haproxy {interface ens160state BACKUP# BACKUP requires a lower priority number than the MASTERpriority 100virtual_router_id 51authentication {auth_type AHauth_pass 12345678}virtual_ipaddress {10.0.0.100}track_script {chk_haproxy}}
HAProxy 配置
需要将必要的证书放置于 /etc/ssl/domain.com/certificate.pem
根据需要修改以下配置文件内容:
/etc/haproxy/haproxy.cfg
globallog /dev/log local0log /dev/log local1 noticechroot /var/lib/haproxystats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listenersuser haproxygroup haproxymaxconn 40000ulimit-n 81000daemonssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCMssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-ticketsssl-default-server-ciphers EECDH+AESGCM:EDH+AESGCMssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-ticketstune.ssl.default-dh-param 2048defaultslog globalmode tcpoption httplogoption dontlognulloption forwardforoption http-use-htxtimeout client 30stimeout server 30stimeout connect 5serrorfile 400 /etc/haproxy/errors/400.httperrorfile 403 /etc/haproxy/errors/403.httperrorfile 408 /etc/haproxy/errors/408.httperrorfile 500 /etc/haproxy/errors/500.httperrorfile 502 /etc/haproxy/errors/502.httperrorfile 503 /etc/haproxy/errors/503.httperrorfile 504 /etc/haproxy/errors/504.http# Page to view statistics with username User and password Passwordlisten statsbind :9000mode httpstats enablestats hide-versionstats realm Haproxy\ Statisticsstats uri /haproxy_statsstats auth Username:Password# Frontend for HTTP to HTTPS redirectfrontend fe_httpbind *:80mode httpoption httploglog globalredirect scheme https code 301# Frontend for SNI Passthroughfrontend fe_sptbind *:443option forwardfor header X-Forwarded-Fortcp-request inspect-delay 5stcp-request content accept if { req_ssl_hello_type 1 }# An entry is required per FQDNuse_backend spt_sts if { req_ssl_sni -i sts.domain.com }# This will be the webpage that is displayed if no matching FQDN is detecteddefault_backend spt_sts# Each SNI Passthrough backend requires a port to use for the normal frontendbackend spt_stsoption forwardfor header X-Forwarded-Forserver localhost 127.0.0.1:20000 check# Normal frontendfrontend fe_stsbind *:20000 ssl crt /etc/ssl/domain.com/certificate.pemmode httphttp-request set-header X-MS-Forwarded-Client-IP %[src]use_backend be_sts# Normal backendbackend be_stsmode httplog globalbalance roundrobinoption httpchk GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost:\ sts.domain.comoption forwardfor header X-Clienthttp-check expect status 200http-request add-header X-Forwarded-Proto https if { ssl_fc }server adfs01 10.0.0.98:443 ssl verify none check check-sni sts.domain.com sni ssl_fc_sni inter 3s rise 2 fall 3server adfs02 10.0.0.99:443 ssl verify none check check-sni sts.domain.com sni ssl_fc_sni inter 3s rise 2 fall 3
若有收获,就点个赞吧
0 人点赞
