0

我正在努力弄清楚为什么当请求通过haproxy时haproxy似乎在“Accept-Encoding”标头中用gzip替换了br

我的应用程序目前的结构如下:

HAPROXY(tls termination) -> varnish -> apache

所以我这样测试:

curl -I --http2 -H 'Accept-Encoding: br' -I https://mysite.dev:31753?tru

所以 - 向haproxy发送单个 GET 请求,该请求仅严格要求(使用 curl)......
所以这就是我希望看到的 varnish,但实际上进入 varnish 的是这两个请求:

  • 带br的 HEAD 请求
  • 使用gzip值代替GET 请求...

我很困惑 - 为什么现在有 2 个请求?我没有在haproxy中配置压缩,它 怎么能将br重写为gzip

请求清漆(我使用 tcpflow 程序得到这个):

172.030.000.035.41382-172.030.000.034.00080: HEAD /?tru HTTP/1.1
user-agent: curl/7.68.0
accept: */*
accept-encoding: br
host: mysite.dev:31753
x-client-ip: 192.168.10.103
x-forwarded-port: 31753
x-forwarded-proto: https
x-forwarded-for: 192.168.10.103
connection: close


172.030.000.034.41882-172.030.000.033.00080: GET /?tru HTTP/1.1
user-agent: curl/7.68.0
accept: */*
x-client-ip: 192.168.10.103
x-forwarded-port: 31753
x-forwarded-proto: https
X-Forwarded-For: 192.168.10.103, 172.30.0.35
host: mysite:31753
Accept-Encoding: gzip
X-Varnish: 328479

我的 haproxy 配置如下所示:

代理服务器

global
    maxconn 1024
    log stdout format raw local0
    ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
    log global
    option  httplog
    option  http-server-close
    mode    http
    option  dontlognull
    timeout connect 5s
    timeout client 20s
    timeout server 45s

frontend fe-wp-combined
    mode tcp
    bind *:31753
    tcp-request inspect-delay 2s
    tcp-request content accept if HTTP
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend be-wp-recirc-http if HTTP
    default_backend be-wp-recirc-https

backend be-wp-recirc-http
    mode tcp
    server loopback-for-http abns@wp-haproxy-http send-proxy-v2

backend be-wp-recirc-https
    mode tcp
    server loopback-for-https abns@wp-haproxy-https send-proxy-v2

frontend fe-wp-https
    mode http
    bind abns@wp-haproxy-https accept-proxy ssl crt /certs/fullkeychain.pem alpn h2,http/1.1
    # whatever you need todo for HTTPS traffic
    default_backend be-wp-real

frontend fe-wp-http
    mode http
    bind abns@wp-haproxy-http accept-proxy
    # whatever you need todo for HTTP traffic
    redirect scheme https code 301 if !{ ssl_fc }

backend be-wp-real
    mode http
    balance roundrobin
    option forwardfor

    # Send these request to check health
    option httpchk
    http-check send meth HEAD uri / ver HTTP/1.1 hdr Host haproxy.local

    http-response del-header Server
    http-response del-header via

    server wp-backend1 proxy-varnish:80 check
    http-request set-header x-client-ip %[src]
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

如果有人知道这里发生了什么,请帮忙 - 非常难过。

4

1 回答 1

0

nvm.upon 进一步调查结果证明我混淆了 tcpflow 结果。

显然,在我禁用它之后,它一直是自动编码 gzip 的清漆 - 我按预期得到了 br。

于 2021-03-01T11:47:29.090 回答