3
我已經設置了我的服務器上光油如下:光油和SSL與龐德
backend web1 {.host = "XXX.XXX.XXX.XXX"; .port = "80";}
backend web2 {.host = "XXX.XXX.XXX.XXX"; .port = "80";}
backend web3 {.host = "XXX.XXX.XXX.XXX"; .port = "80";}
backend web1_ssl {.host = "XXX.XXX.XXX.XXX"; .port = "443";}
backend web2_ssl {.host = "XXX.XXX.XXX.XXX"; .port = "443";}
backend web3_ssl {.host = "XXX.XXX.XXX.XXX"; .port = "443";}
director default_director round-robin {
{ .backend = web1; }
{ .backend = web2; }
{ .backend = web3; }
}
director ssl_director round-robin {
{ .backend = web1_ssl; }
{ .backend = web2_ssl; }
{ .backend = web3_ssl; }
}
# Respond to incoming requests.
sub vcl_recv {
# Set the director to cycle between web servers.
set req.grace = 120s;
if (req.http.X-Forwarded-Proto == "https") {
set req.http.X-Forwarded-Port = "443";
set req.backend = ssl_director;
} else {
set req.http.X-Forwarded-Port = "80";
set req.http.X-Forwarded-Proto = "http";
set req.backend = default_director;
}
...
}
這工作完全如果我打我的IP地址(無SSL)在瀏覽器中,但如果我能鎊(配置如下圖):
ListenHTTPS
Address XXX.XXX.XXX.XXX #Local IP of the VarnishWebServer
Port 443
Cert "/etc/apache2/ssl/apache.pem"
AddHeader "X-Forwarded-Proto: https"
HeadRemove "X-Forwarded-Proto"
Service
BackEnd
Address 127.0.0.1
Port 80
End
End
末
,我收到了503 everyime我試着打本地IP地址(varnishlog -0):
11 RxURL c /favicon.ico
11 RxProtocol c HTTP/1.1
11 RxHeader c Host: XXX.XXX.XXX (Varnish Server IP Address)
11 RxHeader c Connection: keep-alive
11 RxHeader c Accept: */*
11 RxHeader c User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
11 RxHeader c Accept-Encoding: gzip,deflate,sdch
11 RxHeader c Accept-Language: en-US,en;q=0.8
11 RxHeader c X-Forwarded-Proto: https
11 RxHeader c X-SSL-cipher: DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
11 RxHeader c X-Forwarded-For: XXX.XXX.XXX.XXX (My Local machine IP)
11 VCL_call c recv lookup
11 VCL_call c hash
11 Hash c /favicon.ico
11 Hash c 198.61.252.81
11 VCL_return c hash
11 VCL_call c miss fetch
11 Backend c 14 ssl_director web2_ssl
11 FetchError c http read error: -1 0 (Success)
11 VCL_call c error deliver
11 VCL_call c deliver deliver
11 TxProtocol c HTTP/1.1
11 TxStatus c 503
11 TxResponse c Service Unavailable
11 TxHeader c Server: Varnish
...
11 ReqEnd c 1175742305 1391779282.930887222 1391779282.934647560 0.000097752 0.003678322 0.000082016
11 SessionClose c error
我看着我的HTTP聽衆,我看到:
[email protected]:/etc/apache2/ssl# lsof -i -n|grep http
pound 7947 www-data 5u IPv4 63264 0t0 TCP XXX.XXX.XXX.XXXX:https (LISTEN)
pound 7948 www-data 5u IPv4 63264 0t0 TCP XXX.XXX.XXX.XXXX:https (LISTEN)
varnishd 8333 nobody 7u IPv4 64977 0t0 TCP *:http (LISTEN)
varnishd 8333 nobody 8u IPv6 64978 0t0 TCP *:http (LISTEN)
varnishd 8333 nobody 13u IPv4 65029 0t0 TCP XXX.XXX.XXX.XXXX:37493- >YYYY.YYYY.YYYY.YYYY3:http (CLOSE_WAIT)
apache2 19433 root 3u IPv4 31020 0t0 TCP *:http-alt (LISTEN)
apache2 19438 www-data 3u IPv4 31020 0t0 TCP *:http-alt (LISTEN)
apache2 19439 www-data 3u IPv4 31020 0t0 TCP *:http-alt (LISTEN)
pound 19669 www-data 5u IPv4 31265 0t0 TCP 127.0.0.1:https (LISTEN)
pound 19670 www-data 5u IPv4 31265 0t0 TCP 127.0.0.1:https (LISTEN)
其中XXX.XXX.XXX.XXX是清漆的Web服務器的內部IP地址,YYYY.YYYY.YYYY.YYY是IP地址在VCL中定義的後端系統之一。
任何想法,爲什麼我一直得到503s?
UPDATE
如前所述光油不支持SSL,因此使用英鎊可以將交通換乘從443到80,但是當它的完成 - 它不能使用端口443(ssl_diretector)來服務交通。刪除ssl_director並將default_director設置爲主,完美工作。
它看起來像你想清漆連接到SSL後端('web1_ssl'等)。距上次使用Varnish已經一年多了,但我認爲它不支持SSL(這就是爲什麼您在前端首先使用Pound的原因)。 – larsks
是 - 屁股磅,需要SSL連接,解密它,通過端口80上光油。所以基本上 - 你的話說擺脫ssl塊,讓它只是去http正常? – gregavola
是的,因爲清漆不會說ssl。所以如果你把它指向SSL後端,它會嘗試講正常的http,連接會崩潰,你會得到一個503錯誤。 – larsks