HAProxy 集成 GmSSL 编译扩展
- 解压 GmSSL: tar -xvf gmssl_opt_xxx.tar.gz -C /usr/local
- 解压 HAProxy:tar -xvf haproxy_xxx.tar.gz
- 进入 HAProxy 安装目录(不要和后面编译生成的运行目录同一目录)修改
- 修改 makefile:
注释 :
#OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
新增:
OPTIONS_LDFLAGS += $(SSL_LIB)/libssl.aOPTIONS_LDFLAGS += $(SSL_LIB)/libcrypto.a -lm -lpthread -ldl
- 修改源码:
文件 src/ssl_sock.c 备注:不能直接修改红色内容,还需要更换位置,按照修改的顺序
函数 ssl_sock_put_ckch_into_ctx 将以下代码
if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n", err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL; return errcode;
if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n", err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}修改为:
if (!SSL_CTX_use_certificate_file(ctx, path, SSL_FILETYPE_PEM)) {
memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n", err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}
if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n", err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL; return errcode;
}4. 编译
编译前可能需要提前安装相关依赖:
yum install pcre-devel zlib-devel
make TARGET=linux31 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1 SSL_INC=/root/gmssl/gmssl/include SSL_LIB=/root/gmssl/gmssl/lib
备注:SSL_INC 和 SSL_LIB 指定 gmssl 解压的路径
5. 安装
make install PREFIX=/usr/local/haproxy
备注:PREFIX=/usr/local/haproxy 是编译生成的运行目录,不要和安装目录同目录。
6. 配置
- 证书准备:
将签名证书 pem 文件和签名私钥 pem 文件合并成 XXX_sig.pem,文件名必须以 sig.pem 结尾
将加密证书 pem 文件和加密私钥 pem 文件合并成 XXX_enc.pem,文件名必须以 enc.pem 结尾
XXX_enc.pem 将被隐式加载,且必须放到 XXX_sig.pem 的相同目录下,比如: /usr/local/keystore/server_enc.pem
需要双向认证的时候:CA 证书合并到一个文件(选做)
- HAProxy.conf:
global
daemon
ssl-default-bind-ciphers ECC-SM4-CBC-SM3:ECC-SM4-GCM-SM3
#ssl-default-bind-options no-sslv3
maxconn 256
log 127.0.0.1 local7 info
defaults
mode tcp
log global
option tcplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
stats uri /status
#stats auth zp:123456
frontend emqx_dashboard
bind *:18083
option tcplog
mode tcp
default_backend emqx_dashboard_back
frontend emqx_tcps
bind *:8883 ssl crt /usr/local/haproxy/cert/server_sig.pem ca-file /usr/local/haproxy/cert/ca.pem verify required
option tcplog
mode tcp
default_backend backend_emqx_tcp
frontend emqx_tcp
bind *:1883
option tcplog
mode tcp
default_backend backend_emqx_tcp
frontend frontend_emqx_ws
bind *:8083
option tcplog
# option forwardfor
mode tcp
default_backend backend_emqx_ws
backend emqx_dashboard_back
balance roundrobin
server emqx_node_1 192.168.92.120:18083 check
backend backend_emqx_tcp
mode tcp
balance roundrobin
server emqx_node_1 192.168.92.120:1883 check-send-proxy send-proxy-v2-ssl-cn
backend backend_emqx_ws
mode http
option forwardfor
balance roundrobin
server emqx_node_1 192.168.92.120:8083 check-send-proxy send-proxy-v2 check inter 10s fall 2 rise 5- 启动测试
假如配置文件放在:/usr/local/haproxy/conf/ 下
启动命令:/usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/conf/haproxy.cfg