1、Haproxy必需是需要1.5以上的版本才会撑持ssl证书
2、要使用ssl模块，必需要安置openssl软件，版本要注意切合要求

openssl的安置 tar zxf openssl-0.9.8zh.tar.gz cd openssl-0.9.8zh ./config enable-tlsext --prefix=http://www.mamicode.com/usr/local/openssl no-shared make && make install_sw #以上安置不影响系统中的openssl版本，主要就是打开openssl的TLS SNI成果 也可以通过yum的方法去安置openssl Haproxy的安置配置

这里可以使用yum的方法安置，也可以下载二进制包安置：安置便利百度就可以

Haproxy的配置文件 global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 20480 uid 99 gid 99 #daemon tune.ssl.default-dh-param 2048 debug #quiet #pidfile /usr/local/haproxy/run/haproxy.pid #nbproc 2 defaults log global mode http option httplog option httpclose option forwardfor option dontlognull option redispatch option originalto #option abortonclose balance roundrobin #balance leastconn #balance source stats refresh 30 retries 3 timeout connect 5000 timeout client 2400000 timeout server 2400000 timeout check 5000 listen admin_status bind 0.0.0.0:81 mode http log 127.0.0.1 local3 err stats refresh 30s stats uri /haproxy-stats stats realm Welcome CJWL \CJWL stats auth admin:wangguan stats hide-version stats admin if TRUE errorfile 403 /usr/local/haproxy/errorfiles/403.http errorfile 500 /usr/local/haproxy/errorfiles/500.http errorfile 502 /usr/local/haproxy/errorfiles/502.http errorfile 503 /usr/local/haproxy/errorfiles/503.http errorfile 504 /usr/local/haproxy/errorfiles/504.http frontend http_80_in bind 0.0.0.0:80,0.0.0.0:7070,0.0.0.0:7777 #redirect scheme https if !{ ssl_fc } 把这行开启后，就暗示所有http的访谒城市自动走ssl证书，跳转走https # bind 0.0.0.0:4443 ssl crt /usr/local/haproxy/etc/ssl/haproxy.pem~~ bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/server.pem #reqadd X-Forwarded-Proto:\ https acl testcoms_p hdr_dom(host) -i testcoms.changjiu56.com acl ssl hdr_reg(host) -i ^(kesungang.changjiu56.com)$ redirect scheme https code 301 if !{ ssl_fc } ssl acl kesungang_p hdr_dom(host) -i kesungang.xxxx.com acl cpstest_p hdr_dom(host) -i ^(cpstest.xxx.com)$ acl recapicpstest_p hdr_dom(host) -i ^(rec.api.cpstest.xxxx.com)$ acl g7_ip src 121.2xx.0.0/16 117.50.xxx.0/24 use_backend testcoms.xxxx.com if testcoms_p use_backend kesungang.xxxx.com if kesungang_p use_backend bmwpdatest.xxxx.com if bmwpdatest_p use_backend bmwpda.xxxx.com if bmwpda_p use_backend srm.xxxx.com if srm_p use_backend coms.xxx.com if coms_p #backend wmsims.xxxxx.com # mode http # balance source # option httpchk GET /test/test.html # server 10.0.3.111:80 10.0.3.111:80 maxconn 5000 check inter 2000 rise 2 fall 3 # http-request set-header X-Forwarded-Port %[dst-Port] # http-request add-header X-Forwarded-Proto https if { ssl_fc } backend kesungang.xxxx.com balance source #redirect scheme https if !{ ssl_fc } server 10.0.3.78:80 10.0.3.78:80 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3 backend testcoms.xxxx.com balance source #option httpchk GET /HealthCheck.html 如果只让一个域名走ssl证书配置

1、在frontend 默认80里面把redirect scheme https if !{ ssl_fc }注释失
2、配置acl法则如下
`acl ssl hdr_reg(host) -i ^(kesungang.xxx.com)$
redirect scheme https code 301 if !{ ssl_fc } ssl

acl kesungang_p hdr_dom(host) -i kesungang.xxxx.com
`

多个域名，，多个ssl证书配置

frontend http_server
bind :80
bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem
#凭据如上法则如果多个站点就可以使用同样的法则 bind :443 ssl crt $filepath crt $file2path crt $file3path

mode http acl ssl hdr_reg(host) -i ^(|admin.test.com|passport.abc.com)$ redirect scheme https code 301 if !{ ssl_fc } ssl #对以上站点进行https跳转 #在某些情况下，在特定页面需要进行跳转，则 acl ssl_site hdr_reg(host) -i ^( acl ssl_path path_beg -i /Login /Pay/Pay.aspx redirect scheme https code 301 if !{ ssl_fc } ssl_site ssl_path redirect scheme http code 301 if { ssl_fc } ssl_site !ssl_path #只在/loign /Pay/Pay.aspx页面进行跳转，其他页面使用http acl wwwtest_com hdr_reg(host) -i ^()$ use_backend www_test_com if wwwtest_com { ssl_fc_sni } #这里就是证书的对应部分，如 acl admintest_com hdr_dom(host) -i admin.test.com use_backend admin_test_com if admintest_com { ssl_fc_sni admin.test.com } acl passportabc_com hdr_dom(host) -i passport.abc.com use_backend pasport_abc_com if passport_abc_com { ssl_fc_sni passport.abc.com } backend www_test_com server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1 backend admin_test_com server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1 backend passport_abc_com server test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall 3 weight 1

Haproxy 实现部分域名使用https，其他域名正常使用http的配置要领