1. 首页
  2. 问答
  3. [alibaba/tengine]健康检查模块是否支持 https?

[alibaba/tengine]健康检查模块是否支持 https?

2024-07-10 91 views
1

项目上有一部分需要用到https, tengine是否支持https的健康检查?

jeremyren

回答

8

参考http://tengine.taobao.org/document_cn/http_upstream_check_cn.html

type:健康检查包的类型,现在支持以下多种类型 ssl_hello:发送一个初始的SSL hello包并接受服务器的SSL hello包。 ...

不支持ssl+http,只支持ssl hello包检测

chobits

5

支持https技术上可以行,我们也有计划支持,不过近期可能不会做。 也欢迎社区提供patch来完善此功能。

chobits

8

健康检查类型为type=ssl_hello, 是否可以指定SSL协议类型,比如SSLv2, SSLv3.0, TLSv1 , TLSv1.1, TLSv1.2? 是否可以指定加密套件ssl_ciphers? 有无type=ssl_hello的配置示例 ?

zuoqiying

6

hi @zuoqiying ,

目前type=ssl_hello发送的SSL协议包是固定的,无法配置,握手包格式说明如下:

/*
 * This is the SSLv3 CLIENT HELLO packet used in conjunction with the
 * check type of ssl_hello to ensure that the remote server speaks SSL.
 *
 * Check RFC 2246 (TLSv1.0) sections A.3 and A.4 for details.
 */
static char sslv3_client_hello_pkt[] = {
    "\x16"                /* ContentType         : 0x16 = Hanshake           */
    "\x03\x00"            /* ProtocolVersion     : 0x0300 = SSLv3            */
    "\x00\x79"            /* ContentLength       : 0x79 bytes after this one */
    "\x01"                /* HanshakeType        : 0x01 = CLIENT HELLO       */
    "\x00\x00\x75"        /* HandshakeLength     : 0x75 bytes after this one */
    "\x03\x00"            /* Hello Version       : 0x0300 = v3               */
    "\x00\x00\x00\x00"    /* Unix GMT Time (s)   : filled with <now> (@0x0B) */
    NGX_SSL_RANDOM        /* Random              : must be exactly 28 bytes  */
    "\x00"                /* Session ID length   : empty (no session ID)     */
    "\x00\x4E"            /* Cipher Suite Length : 78 bytes after this one   */
    "\x00\x01" "\x00\x02" "\x00\x03" "\x00\x04" /* 39 most common ciphers :  */
    "\x00\x05" "\x00\x06" "\x00\x07" "\x00\x08" /* 0x01...0x1B, 0x2F...0x3A  */
    "\x00\x09" "\x00\x0A" "\x00\x0B" "\x00\x0C" /* This covers RSA/DH,       */
    "\x00\x0D" "\x00\x0E" "\x00\x0F" "\x00\x10" /* various bit lengths,      */
    "\x00\x11" "\x00\x12" "\x00\x13" "\x00\x14" /* SHA1/MD5, DES/3DES/AES... */
    "\x00\x15" "\x00\x16" "\x00\x17" "\x00\x18"
    "\x00\x19" "\x00\x1A" "\x00\x1B" "\x00\x2F"
    "\x00\x30" "\x00\x31" "\x00\x32" "\x00\x33"
    "\x00\x34" "\x00\x35" "\x00\x36" "\x00\x37"
    "\x00\x38" "\x00\x39" "\x00\x3A"
    "\x01"                /* Compression Length  : 0x01 = 1 byte for types   */
    "\x00"                /* Compression Type    : 0x00 = NULL compression   */
};

type=ssl_hello配置示例参考: https://github.com/yaoweibin/nginx_upstream_check_module

check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello;

chobits

2

hi,@chobits https现在支持健康检查了吗

bouillipx