У меня HAPROXY с ADFS, к сожалению, HAPROXY не передает соединение с сервером ADFS с ошибкой 503 . я использовал внешний скрипт на HAPROXY для ADFS.
haproxy.conf:
global
log 127.0.0.1 local2
daemon
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 5000
user haproxy
group haproxy
tune.ssl.default-dh-param 2048
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256$
external-check
stats socket /var/lib/haproxy/stats
defaults
maxconn 5000
timeout connect 10s
timeout client 50s
timeout server 50s
timeout check 10s
retries 3
frontend main
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
bind :443 ssl crt /etc/haproxy/SSL/cert.pem
default_backend default
frontend tcpmode
mode tcp
log global
option tcplog
option dontlognull
bind :443 ssl crt /etc/haproxy/SSL/cert.pem
bind :49443 ssl crt /etc/haproxy/SSL/cert.pem
acl host_wap-adfs hdr_dom(host) -i adfs.domaine.fr:443
acl host_wap-adfs2 hdr_dom(host) -i adfs.domaine.fr:49443
use_backend wap-adfs if host_wap-adfs
use_backend wap-adfs2 if host_wap-adfs2
default_backend tcpmode
backend default
mode http
balance roundrobin
server HAPROXY1 192.168.100.1:80 check send-proxy
server HAPROXY2 192.168.100.2:80 check send-proxy
backend tcpmode
mode tcp
balance roundrobin
retry-on empty-response conn-failure response-timeout
server HAPROXY1 192.168.100.1:443 check send-proxy
server HAPROXY2 192.168.100.2:443 check send-proxy
backend wap-adfs
mode tcp
balance roundrobin
retry-on empty-response conn-failure response-timeout
option external-check
option log-health-checks
external-check path "/var/lib/haproxy/dev"
external-check command /var/lib/haproxy/adfs_check
external-check command /bin/true
server WAP-ADFS 192.168.100.10:443 check fall 3 rise 2
backend wap-adfs2
mode tcp
balance roundrobin
retry-on empty-response conn-failure response-timeout
option external-check
option log-health-checks
external-check path "/var/lib/haproxy/dev"
external-check command /var/lib/haproxy/adfs_check
external-check command /bin/true
server WAP-ADFS 192.168.100.10:49443 check fall 3 rise 2
внешний скрипт:
#!/bin/bash
# Script to check SNI enabled servers are healthy
# $3 contains the IP address of the real server and is passed by the
# calling program (HAProxy)
REAL_SERVER_IP=$3
SNI_HOST="adfs.domaine.fr"
SNI_URI="/adfs/ls/IdpInitiatedSignon.htm"
CHECK_VALUE="Sign in"
# check if previous instance of health check is running & kill if req'd
PIDFILE="/var/run/sni-check-$SNI_HOST.pid"
if [ -f $PIDFILE ]
then
kill -9 `cat $PIDFILE` > /dev/null 2>&1
fi
# write the process ID to the PID file
echo "$$" > $PIDFILE
# check that the ADFS login page is accessible
CURL_OUTPUT=$(/usr/bin/curl -k -m 5 --resolve \
$SNI_HOST:443:$REAL_SERVER_IP \
https://$SNI_HOST/$SNI_URI)
if [[ $CURL_OUTPUT == *$CHECK_VALUE* ]]
then
exit 0
else
exit 1
fi
ошибка в журнале
IP: 65209 [18 / март / 2020: 16: 29: 04.278] основной ~ по умолчанию / 0 / -1 / -1 / -1 / 0 503 237 - - S C - 11/10/0/0 / 0 0/0 "GET /adfs/ls/IdpInitiatedSignon.htm HTTP / 1.1"
IP: 65211 [18 / Mar / 2020: 16: 29: 04.795] main ~ default / 0 / -1 / - 1 / -1 / 0 503 237 - - S C - 10/10/0/0/0 0/0 "GET /favicon.ico HTTP / 1.1"