Haproxy Nginx / Naxsi para servidores da Web não funcionando

2

Eu tenho uma configuração haproxy / nginx / naxsi para balanceamento de carga e segurança. O tráfego deve entrar em haproxy, em seguida, para nginx / nasxi e, finalmente, para os servidores da web, se eles passaram o WAF. Nós também temos um endereço IP diferente na frente, então fazemos na parte de trás.

O que diabos eu estou fazendo errado, onde não vai fluir através do nginx? Eu só recebo 503 erros ao passar pelo nginx, se eu ignorar o nginx / naxsi ele funciona como pretendido.

Inet - > Haproxy .5.3: 80 - > .5.3: 81 Nginx / Naxsi .6.3: 81 - > .6: 80 Web Servers


frontend ft_waf
  bind 10.0.5.15:80 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 10000

  # DDOS protection
  # Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter
  # Monitors the number of request sent by an IP over a period of 10 seconds
  stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s),http_err_rate(10s)
  tcp-request connection track-sc1 src
  tcp-request connection reject if { sc1_get_gpc0 gt 0 }
  # Abuser means more than 100reqs/10s
  acl abuse sc1_http_req_rate gt 100
  acl kill sc1_inc_gpc0 gt 10
  acl save sc1_clr_gpc0 ge 0
  tcp-request connection accept if !abuse save
  tcp-request connection reject if abuse kill
  acl no_waf nbsrv(bk_waf) eq 0
  acl waf_max_capacity queue(bk_waf) ge 1
  # bypass WAF farm if no WAF available
  use_backend bk_web if no_waf
  # bypass WAF farm if it reaches its capacity
  default_backend bk_waf

# WAF farm where users' traffic is routed first
backend bk_waf
  balance roundrobin
  mode http
  log global
  option httplog
  option forwardfor header X-Client-IP
  # If the source IP generated 10 or more http request over the defined period,
  # flag the IP as abuser on the frontend
  acl abuse sc1_http_err_rate gt 10
  acl kill sc1_inc_gpc0 gt 0
  tcp-request content reject if abuse kill
  # Specific WAF checking: a DENY means everything is OK
  timeout server 25s
  server waf1 10.0.5.3:81 maxconn 10000 check

# Traffic secured by the WAF arrives here
frontend ft_web
  bind 10.0.6.3:81 name http
  mode http
  log global
  option httplog
  # route commerical domains to com_web
  acl is_comm hdr(host) -i -f /etc/haproxy/commweb
  use_backend com_web if is_comm
  acl is_comwbm hdr(host) -i -f /etc/haproxy/webmailredirect
  redirect location http://newwebmail.example.net if is_comwbm
  timeout client 25s
  maxconn 1000
  default_backend bk_web

backend com_web
  balance roundrobin
  mode http
  log global
  option httplog
  option forwardfor
  cookie SERVERID insert indirect nocache
  default-server inter 30s rise 2 fall 3
  option httpchk HEAD /
  # get connected on the application server using the user ip
  # provided in the X-Client-IP header setup by ft_waf frontend
  source 0.0.0.0 usesrc hdr_ip(X-Client-IP)
  timeout server 25s
  server comserver01 10.0.6.22:80 maxconn 10000 weight 10 cookie server1 check

# application server farm
backend bk_web
  balance roundrobin
  mode http
  log global
  option httplog
  option forwardfor
  cookie SERVERID insert indirect nocache
  default-server inter 30s rise 2 fall 3
  option httpchk HEAD /
  # get connected on the application server using the user ip
  # provided in the X-Client-IP header setup by ft_waf frontend
  source 0.0.0.0 usesrc hdr_ip(X-Client-IP)
  timeout server 25s
  server webserver01 10.0.6.10:80 maxconn 10000 weight 10 cookie server1 check
  server webserver02 10.0.6.11:80 maxconn 10000 weight 10 cookie server2 check
  server webserver03 10.0.6.12:80 maxconn 10000 weight 10 cookie server2 check
  server webserver04 10.0.6.13:80 maxconn 10000 weight 10 cookie server2 check

http {
 include        /etc/nginx/naxsi_core.rules;
 include        mime.types;
 server_names_hash_bucket_size 128;

 sendfile        on;
 keepalive_timeout  65;
 tcp_nodelay        on;

 gzip  on;
 gzip_disable "MSIE [1-6]\.(?!.*SV1)";

server {
 proxy_set_header Proxy-Connection "";
 listen       10.0.5.3:81;
 access_log  /var/log/nginx/access.log;

 location / {
   include    /etc/nginx/test.rules;
   proxy_pass http://10.0.6.3:81/;
  }
    
por Thomas Patterson 02.11.2015 / 19:32

0 respostas