У меня есть настройка haproxy / nginx / naxsi для балансировки нагрузки и безопасности. Предполагается, что трафик будет поступать в haproxy, затем на nginx / nasxi, а затем, наконец, на веб-серверы, если они прошли WAF. У нас также есть другой IP-адрес спереди, чем сзади.
Что, черт возьми, я делаю не так, когда он не проходит через nginx? Я получаю только 503 ошибки при прохождении через nginx, если я обхожу nginx / naxsi, он работает по назначению.
Inet -> Haproxy .5.3: 80 -> .5.3: 81 Nginx / Naxsi .6.3: 81 -> .6.x: 80 веб-серверов
frontend ft_waf
bind 10.0.5.15:80 name http
mode http
log global
option httplog
timeout client 25s
maxconn 10000
# DDOS protection
# Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter
# Monitors the number of request sent by an IP over a period of 10 seconds
stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s),http_err_rate(10s)
tcp-request connection track-sc1 src
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
# Abuser means more than 100reqs/10s
acl abuse sc1_http_req_rate gt 100
acl kill sc1_inc_gpc0 gt 10
acl save sc1_clr_gpc0 ge 0
tcp-request connection accept if !abuse save
tcp-request connection reject if abuse kill
acl no_waf nbsrv(bk_waf) eq 0
acl waf_max_capacity queue(bk_waf) ge 1
# bypass WAF farm if no WAF available
use_backend bk_web if no_waf
# bypass WAF farm if it reaches its capacity
default_backend bk_waf
# WAF farm where users' traffic is routed first
backend bk_waf
balance roundrobin
mode http
log global
option httplog
option forwardfor header X-Client-IP
# If the source IP generated 10 or more http request over the defined period,
# flag the IP as abuser on the frontend
acl abuse sc1_http_err_rate gt 10
acl kill sc1_inc_gpc0 gt 0
tcp-request content reject if abuse kill
# Specific WAF checking: a DENY means everything is OK
timeout server 25s
server waf1 10.0.5.3:81 maxconn 10000 check
# Traffic secured by the WAF arrives here
frontend ft_web
bind 10.0.6.3:81 name http
mode http
log global
option httplog
# route commerical domains to com_web
acl is_comm hdr(host) -i -f /etc/haproxy/commweb
use_backend com_web if is_comm
acl is_comwbm hdr(host) -i -f /etc/haproxy/webmailredirect
redirect location http://newwebmail.example.net if is_comwbm
timeout client 25s
maxconn 1000
default_backend bk_web
backend com_web
balance roundrobin
mode http
log global
option httplog
option forwardfor
cookie SERVERID insert indirect nocache
default-server inter 30s rise 2 fall 3
option httpchk HEAD /
# get connected on the application server using the user ip
# provided in the X-Client-IP header setup by ft_waf frontend
source 0.0.0.0 usesrc hdr_ip(X-Client-IP)
timeout server 25s
server comserver01 10.0.6.22:80 maxconn 10000 weight 10 cookie server1 check
# application server farm
backend bk_web
balance roundrobin
mode http
log global
option httplog
option forwardfor
cookie SERVERID insert indirect nocache
default-server inter 30s rise 2 fall 3
option httpchk HEAD /
# get connected on the application server using the user ip
# provided in the X-Client-IP header setup by ft_waf frontend
source 0.0.0.0 usesrc hdr_ip(X-Client-IP)
timeout server 25s
server webserver01 10.0.6.10:80 maxconn 10000 weight 10 cookie server1 check
server webserver02 10.0.6.11:80 maxconn 10000 weight 10 cookie server2 check
server webserver03 10.0.6.12:80 maxconn 10000 weight 10 cookie server2 check
server webserver04 10.0.6.13:80 maxconn 10000 weight 10 cookie server2 check
http {
include /etc/nginx/naxsi_core.rules;
include mime.types;
server_names_hash_bucket_size 128;
sendfile on;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
server {
proxy_set_header Proxy-Connection "";
listen 10.0.5.3:81;
access_log /var/log/nginx/access.log;
location / {
include /etc/nginx/test.rules;
proxy_pass http://10.0.6.3:81/;
}