ProHoster > ื‘ืœื•ื’ > ืžื™ื ื”ืœ > MS Remote Desktop Gateway, HAProxy ื•ื›ื•ื— ื’ืก ืกื™ืกืžื”

MS Remote Desktop Gateway, HAProxy ื•ื›ื•ื— ื’ืก ืกื™ืกืžื”

ื—ื‘ืจื™ื, ืฉืœื•ื!

ื™ืฉื ืŸ ื“ืจื›ื™ื ืจื‘ื•ืช ืœื”ืชื—ื‘ืจ ืžื”ื‘ื™ืช ืœืกื‘ื™ื‘ืช ื”ืขื‘ื•ื“ื” ื‘ืžืฉืจื“. ืื—ื“ ืžื”ื ื”ื•ื ืœื”ืฉืชืžืฉ ื‘-Microsoft Remote Desktop Gateway. ื–ื”ื• RDP ืขืœ HTTP. ืื ื™ ืœื ืจื•ืฆื” ืœื’ืขืช ื‘ื”ื’ื“ืจืช RDGW ืขืฆืžื” ื›ืืŸ, ืื ื™ ืœื ืจื•ืฆื” ืœื“ื•ืŸ ืžื“ื•ืข ื–ื” ื˜ื•ื‘ ืื• ืจืข, ื‘ื•ืื• ื ืชื™ื™ื—ืก ืœื–ื” ื›ืื—ื“ ืžื›ืœื™ ื”ื’ื™ืฉื” ืžืจื—ื•ืง. ืื ื™ ืจื•ืฆื” ืœื“ื‘ืจ ืขืœ ื”ื’ื ื” ืขืœ ืฉืจืช ื”-RDGW ืฉืœืš ืžื”ืื™ื ื˜ืจื ื˜ ื”ืžืจื•ืฉืข. ื›ืืฉืจ ื”ื’ื“ืจืชื™ ืืช ืฉืจืช ื”-RDGW, ื”ืชื—ืœืชื™ ืžื™ื“ ืœื“ืื•ื’ ืœื’ื‘ื™ ืื‘ื˜ื—ื”, ื‘ืžื™ื•ื—ื“ ื”ื’ื ื” ืžืคื ื™ ื›ื•ื— ืกื™ืกืžื”. ื”ื•ืคืชืขืชื™ ืฉืœื ืžืฆืืชื™ ืžืืžืจื™ื ื‘ืื™ื ื˜ืจื ื˜ ืขืœ ืื™ืš ืœืขืฉื•ืช ื–ืืช. ื•ื‘ื›ืŸ, ืชืฆื˜ืจืš ืœืขืฉื•ืช ื–ืืช ื‘ืขืฆืžืš.

ืœ-RDGW ืขืฆืžื• ืื™ืŸ ื”ื’ื ื•ืช ื›ืœืฉื”ืŸ. ื›ืŸ, ื–ื” ื™ื›ื•ืœ ืœื”ื™ื—ืฉืฃ ืขื ืžืžืฉืง ื—ืฉื•ืฃ ืœืจืฉืช ืœื‘ื ื” ื•ื–ื” ื™ืขื‘ื•ื“ ืžืฆื•ื™ืŸ. ืื‘ืœ ื–ื” ื™ื’ืจื•ื ืœืžื ื”ืœ ื”ืžืชืื™ื ืื• ืœืžื•ืžื—ื” ืื‘ื˜ื—ืช ืžื™ื“ืข ืœื ืจื’ื•ืข. ื‘ื ื•ืกืฃ, ื”ื™ื ืชืืคืฉืจ ืœื›ื ืœื”ื™ืžื ืข ืžืžืฆื‘ ืฉืœ ื—ืกื™ืžืช ื—ืฉื‘ื•ืŸ, ื›ืืฉืจ ืขื•ื‘ื“ ืจืฉืœื ื™ ื–ื›ืจ ืืช ื”ืกื™ืกืžื” ืœื—ืฉื‘ื•ืŸ ืืจื’ื•ื ื™ ื‘ืžื—ืฉื‘ ื”ื‘ื™ืชื™ ืฉืœื•, ื•ืœืื—ืจ ืžื›ืŸ ืฉื™ื ื” ืืช ื”ืกื™ืกืžื” ืฉืœื•.

ื“ืจืš ื˜ื•ื‘ื” ืœื”ื’ืŸ ืขืœ ืžืฉืื‘ื™ื ืคื ื™ืžื™ื™ื ืžื”ืกื‘ื™ื‘ื” ื”ื—ื™ืฆื•ื ื™ืช ื”ื™ื ื‘ืืžืฆืขื•ืช ืคืจื•ืงืกื™ ืฉื•ื ื™ื, ืžืขืจื›ื•ืช ืคืจืกื•ื ื•-WAFs ืื—ืจื™ื. ื‘ื•ืื• ื ื–ื›ื•ืจ ืฉ-RDGW ื”ื•ื ืขื“ื™ื™ืŸ http, ืื– ื–ื” ืจืง ืžืชื—ื ืŸ ืœื—ื‘ืจ ืคืชืจื•ืŸ ืžื™ื•ื—ื“ ื‘ื™ืŸ ืฉืจืชื™ื ืคื ื™ืžื™ื™ื ืœืื™ื ื˜ืจื ื˜.

ืื ื™ ื™ื•ื“ืข ืฉื™ืฉ ืžื’ื ื™ื‘ื™ื F5, A10, Netscaler(ADC). ื›ืžื ื”ืœ ืฉืœ ืื—ืช ืžื”ืžืขืจื›ื•ืช ื”ืœืœื•, ืื’ื™ื“ ืฉืืคืฉืจ ื’ื ืœื”ื’ื“ื™ืจ ื”ื’ื ื” ืžืคื ื™ ื›ื•ื— ื’ืก ืขืœ ืžืขืจื›ื•ืช ืืœื•. ื•ื›ืŸ, ื”ืžืขืจื›ื•ืช ื”ืœืœื• ื’ื ื™ื’ื ื• ืขืœื™ืš ืžื›ืœ ื”ืฆืคื” ืกื™ื ื•ืŸ.

ืื‘ืœ ืœื ื›ืœ ื—ื‘ืจื” ื™ื›ื•ืœื” ืœื”ืจืฉื•ืช ืœืขืฆืžื” ืœืจื›ื•ืฉ ืคืชืจื•ืŸ ื›ื–ื” (ื•ืœืžืฆื•ื ืžื ื”ืœ ืžืขืจื›ืช ืœืžืขืจื›ืช ื›ื–ื• :), ืืš ื™ื—ื“ ืขื ื–ืืช ื”ื™ื ื™ื›ื•ืœื” ืœื“ืื•ื’ ืœืื‘ื˜ื—ื”!

ืืคืฉืจ ื‘ื”ื—ืœื˜ ืœื”ืชืงื™ืŸ ื’ืจืกื” ื—ื™ื ืžื™ืช ืฉืœ HAProxy ืขืœ ืžืขืจื›ืช ื”ืคืขืœื” ื—ื™ื ืžื™ืช. ื‘ื“ืงืชื™ ืขืœ ื“ื‘ื™ืืŸ 10, ื’ืจืกืช ื”ืืคืจื•ืงืกื™ 1.8.19 ื‘ืžืื’ืจ ื”ื™ืฆื™ื‘. ื‘ื“ืงืชื™ ืื•ืชื• ื’ื ื‘ื’ืจืกื” 2.0.xx ืžืžืื’ืจ ื”ื‘ื“ื™ืงื•ืช.

ื ืฉืื™ืจ ืืช ื”ื’ื“ืจืช ื“ื‘ื™ืืŸ ืขืฆืžื” ืžื—ื•ืฅ ืœืชื—ื•ื ื”ืžืืžืจ ื”ื–ื”. ื‘ืงืฆืจื”: ื‘ืžืžืฉืง ื”ืœื‘ืŸ ืกื’ืจื• ื”ื›ืœ ื—ื•ืฅ ืžื™ืฆื™ืื” 443, ื‘ืžืžืฉืง ื”ืืคื•ืจ - ืœืคื™ ื”ืžื“ื™ื ื™ื•ืช ืฉืœื›ื ืœืžืฉืœ, ืกื’ืจื• ื”ื›ืœ ื—ื•ืฅ ืžื™ืฆื™ืื” 22. ืคืชื— ืจืง ืืช ืžื” ืฉืฆืจื™ืš ืœืขื‘ื•ื“ื” (VRRP ืœืžืฉืœ, ืœ-IP ืฆืฃ).

ืงื•ื“ื ื›ืœ, ื”ื’ื“ืจืชื™ ืืช ื”ืคืจื•ืงืกื™ ื‘ืžืฆื‘ ื’ื™ืฉื•ืจ SSL (ื”ืžื›ื•ื ื” ื’ื ืžืฆื‘ http) ื•ื”ืคืขืœืชื™ ืจื™ืฉื•ื ื›ื“ื™ ืœืจืื•ืช ืžื” ืงื•ืจื” ื‘ืชื•ืš RDP. ื›ื‘ื™ื›ื•ืœ, ื”ื’ืขืชื™ ื‘ืืžืฆืข. ืœื›ืŸ, ื”ื ืชื™ื‘ /RDWeb ืฉืฆื•ื™ืŸ ื‘"ื›ืœ" ื”ืžืืžืจื™ื ืขืœ ื”ื’ื“ืจืช RDGateway ื—ืกืจ. ื›ืœ ืžื” ืฉื™ืฉ ื”ื•ื /rpc/rpcproxy.dll ื•-/remoteDesktopGateway/. ื‘ืžืงืจื” ื–ื”, ืœื ื ืขืฉื” ืฉื™ืžื•ืฉ ื‘ื‘ืงืฉื•ืช GET/POST ืกื˜ื ื“ืจื˜ื™ื•ืช; ื ืขืฉื” ืฉื™ืžื•ืฉ ื‘ืกื•ื’ ื”ื‘ืงืฉื” ืฉืœื”ื RDG_IN_DATA, RDG_OUT_DATA.

ืœื ื”ืจื‘ื”, ืื‘ืœ ืœืคื—ื•ืช ืžืฉื”ื•.

ื‘ื•ืื• ื ื‘ื—ืŸ.

ืื ื™ ืžืคืขื™ืœ ืืช mstsc, ื”ื•ืœืš ืœืฉืจืช, ืจื•ืื” ืืจื‘ืข ืฉื’ื™ืื•ืช 401 (ืœื ืžื•ืจืฉื•ืช) ื‘ื™ื•ืžื ื™ื, ื•ืื– ืžื–ื™ืŸ ืืช ืฉื ื”ืžืฉืชืžืฉ/ื”ืกื™ืกืžื” ืฉืœื™ ื•ืจื•ืื” ืืช ื”ืชื’ื•ื‘ื” 200.

ืื ื™ ืžื›ื‘ื” ืืช ื–ื”, ืžืชื—ื™ืœ ืฉื•ื‘, ื•ื‘ืœื•ื’ื™ื ืื ื™ ืจื•ืื” ืืช ืื•ืชืŸ ืืจื‘ืข ืฉื’ื™ืื•ืช 401. ืื ื™ ืžื–ื™ืŸ ืืช ื”ืชื—ื‘ืจื•ืช/ืกื™ืกืžื” ื”ืœื ื ื›ื•ื ื™ื ื•ืจื•ืื” ืฉื•ื‘ ืืจื‘ืข ืฉื’ื™ืื•ืช 401. ื–ื” ืžื” ืฉืื ื™ ืฆืจื™ืš. ื–ื” ืžื” ืฉื ืชืคื•ืก.

ืžื›ื™ื•ื•ืŸ ืฉืœื ื ื™ืชืŸ ื”ื™ื” ืœืงื‘ื•ืข ืืช ื›ืชื•ื‘ืช ื”ืืชืจ ืœื›ื ื™ืกื”, ื•ื—ื•ืฅ ืžื–ื”, ืื ื™ ืœื ื™ื•ื“ืข ืื™ืš ืœืชืคื•ืก ืืช ืฉื’ื™ืืช 401 ื‘ื”ืคืจื•ืงืกื™, ืื ื™ ืืชืคื•ืก (ืœื ืžืžืฉ ืœืชืคื•ืก, ืืœื ืœืกืคื•ืจ) ืืช ื›ืœ ืฉื’ื™ืื•ืช ื”-4xx. ืžืชืื™ื ื’ื ืœืคืชืจื•ืŸ ื”ื‘ืขื™ื”.

ืžื”ื•ืช ื”ื”ื’ื ื” ืชื”ื™ื” ืฉื ืกืคื•ืจ ืืช ืžืกืคืจ ืฉื’ื™ืื•ืช 4xx (ื‘ืงืฆื” ื”ืื—ื•ืจื™) ืœื™ื—ื™ื“ืช ื–ืžืŸ ื•ืื ื”ื•ื ื—ื•ืจื’ ืžื”ืžื’ื‘ืœื” ืฉืฆื•ื™ื ื”, ืื– ื ื“ื—ื” (ื‘ื—ื–ื™ืช) ืืช ื›ืœ ื”ื—ื™ื‘ื•ืจื™ื ื”ื ื•ืกืคื™ื ืž-IP ื–ื” ืœืžืฉืš ื”ื–ืžืŸ ืฉืฆื•ื™ืŸ .

ืžื‘ื—ื™ื ื” ื˜ื›ื ื™ืช, ื–ื• ืœื ืชื”ื™ื” ื”ื’ื ื” ืžืคื ื™ ื›ื•ื— ื’ืก ืฉืœ ืกื™ืกืžื”, ื–ื• ืชื”ื™ื” ื”ื’ื ื” ืžืคื ื™ ืฉื’ื™ืื•ืช 4xx. ืœื“ื•ื’ืžื”, ืื ืืชื” ืžื‘ืงืฉ ืœืขืชื™ื ืงืจื•ื‘ื•ืช ื›ืชื•ื‘ืช ืืชืจ ืœื ืงื™ื™ืžืช (404), ืื– ื’ื ื”ื”ื’ื ื” ืชืขื‘ื•ื“.

ื”ื“ืจืš ื”ืคืฉื•ื˜ื” ื•ื”ื™ืขื™ืœื” ื‘ื™ื•ืชืจ ื”ื™ื ืœืกืžื•ืš ืขืœ ื”-backend ื•ืœื“ื•ื•ื— ื‘ื—ื–ืจื” ืื ืžื•ืคื™ืข ืžืฉื”ื• ื ื•ืกืฃ:

frontend fe_rdp_tsc
    bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
    mode http
    ...
    default_backend be_rdp_tsc


backend be_rdp_tsc
    ...
    mode http
    ...

    #ัะพะทะดะฐั‚ัŒ ั‚ะฐะฑะปะธั†ัƒ, ัั‚ั€ะพะบะพะฒัƒัŽ, 1000 ัะปะตะผะตะฝั‚ะพะฒ, ะฟั€ะพั‚ัƒั…ะฐะตั‚ ั‡ะตั€ะตะท 15 ัะตะบ, ะทะฐะฟะธัะฐั‚ัŒ ะบะพะป-ะฒะพ ะพัˆะธะฑะพะบ ะทะฐ ะฟะพัะปะตะดะฝะธะต 10 ัะตะบ
    stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
    #ะทะฐะฟะพะผะฝะธั‚ัŒ ip
    http-request track-sc0 src
    #ะทะฐะฟั€ะตั‚ะธั‚ัŒ ั http ะพัˆะธะฑะบะพะน 429, ะตัะปะธ ะทะฐ ะฟะพัะปะตะดะฝะธะต 10 ัะตะบ ะฑะพะปัŒัˆะต 4 ะพัˆะธะฑะพะบ
    http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
	
	...
    server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
    server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02

ืœื ื”ืืคืฉืจื•ืช ื”ื˜ื•ื‘ื” ื‘ื™ื•ืชืจ, ื‘ื•ืื• ื ืกื‘ืš ืืช ื–ื”. ืื ื—ื ื• ื ืกืžื•ืš ืขืœ ื”ืงืฆื” ื”ืื—ื•ืจื™ ื•ื ื—ืกื•ื ืขืœ ื”ืงืฆื” ื”ืงื“ืžื™.

ื ืชื™ื™ื—ืก ืœืชื•ืงืฃ ื‘ื’ืกื•ืช ื•ื ืคื™ืœ ืืช ื—ื™ื‘ื•ืจ ื”-TCP ืฉืœื•.

frontend fe_rdp_tsc
    bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
    mode http
    ...
    #ัะพะทะดะฐั‚ัŒ ั‚ะฐะฑะปะธั†ัƒ ip ะฐะดั€ะตัะพะฒ, 1000 ัะปะตะผะตะฝั‚ะพะฒ, ะฟั€ะพั‚ัƒั…ะฝะตั‚ ั‡ะตั€ะตะท 15 ัะตะบ, ัะพั…ั€ัะฝัั‚ัŒ ะธะท ะณะปะพะฑะฐะปัŒะฝะพะณะพ ัั‡ั‘ั‚ั‡ะธะบะฐ
    stick-table type ip size 1k expire 15s store gpc0
    #ะฒะทัั‚ัŒ ะธัั‚ะพั‡ะฝะธะบ
    tcp-request connection track-sc0 src
    #ะพั‚ะบะปะพะฝะธั‚ัŒ tcp ัะพะตะดะธะฝะตะฝะธะต, ะตัะปะธ ะณะปะพะฑะฐะปัŒะฝั‹ะน ัั‡ั‘ั‚ั‡ะธะบ >0
    tcp-request connection reject if { sc0_get_gpc0 gt 0 }
	
    ...
    default_backend be_rdp_tsc


backend be_rdp_tsc
    ...
    mode http
    ...
	
    #ัะพะทะดะฐั‚ัŒ ั‚ะฐะฑะปะธั†ัƒ ip ะฐะดั€ะตัะพะฒ, 1000 ัะปะตะผะตะฝั‚ะพะฒ, ะฟั€ะพั‚ัƒั…ะฝะตั‚ ั‡ะตั€ะตะท 15 ัะตะบ, ัะพั…ั€ะฐะฝัั‚ัŒ ะบะพะป-ะฒะพ ะพัˆะธะฑะพะบ ะทะฐ 10 ัะตะบ
    stick-table type ip size 1k expire 15s store http_err_rate(10s)
    #ะผะฝะพะณะพ ะพัˆะธะฑะพะบ, ะตัะปะธ ะบะพะป-ะฒะพ ะพัˆะธะฑะพะบ ะทะฐ 10 ัะตะบ ะฟั€ะตะฒั‹ัะธะปะพ 8
    acl errors_too_fast sc1_http_err_rate gt 8
    #ะฟะพะผะตั‚ะธั‚ัŒ ะฐั‚ะฐะบัƒ ะฒ ะณะปะพะฑะฐะปัŒะฝะพะผ ัั‡ั‘ั‚ั‡ะธะบะต (ัƒะฒะตะปะธั‡ะธั‚ัŒ ัั‡ั‘ั‚ั‡ะธะบ)
    acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
    #ะพะฑะฝัƒะปะธั‚ัŒ ะณะปะพะฑะฐะปัŒะฝั‹ะน ัั‡ั‘ั‚ั‡ะธะบ
    acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
    #ะฒะทัั‚ัŒ ะธัั‚ะพั‡ะฝะธะบ
    tcp-request content track-sc1 src
    #ะพั‚ะบะปะพะฝะธั‚ัŒ, ะฟะพะผะตั‚ะธั‚ัŒ, ั‡ั‚ะพ ะฐั‚ะฐะบะฐ
    tcp-request content reject if errors_too_fast mark_as_abuser
    #ั€ะฐะทั€ะตัˆะธั‚ัŒ, ัะฑั€ะพัะธั‚ัŒ ั„ะปะฐะถะพะบ ะฐั‚ะฐะบะธ
    tcp-request content accept if !errors_too_fast clear_as_abuser
	
    ...
    server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
    server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02

ืื•ืชื• ื“ื‘ืจ, ืื‘ืœ ื‘ื ื™ืžื•ืก, ื ื—ื–ื™ืจ ืืช ื”ืฉื’ื™ืื” http 429 (Too Many Requests)

frontend fe_rdp_tsc
    ...
    stick-table type ip size 1k expire 15s store gpc0
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
    ...
    default_backend be_rdp_tsc

backend be_rdp_tsc
    ...
    stick-table type ip size 1k expire 15s store http_err_rate(10s)
    acl errors_too_fast sc1_http_err_rate gt 8
    acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
    acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
    http-request track-sc1 src
    http-request allow if !errors_too_fast clear_as_abuser
    http-request deny deny_status 429 if errors_too_fast mark_as_abuser
    ...

ืื ื™ ื‘ื•ื“ืง: ืื ื™ ืžืคืขื™ืœ ืืช mstsc ื•ืžืชื—ื™ืœ ืœื”ื–ื™ืŸ ืกื™ืกืžืื•ืช ื‘ืื•ืคืŸ ืืงืจืื™. ืื—ืจื™ ื”ื ื™ืกื™ื•ืŸ ื”ืฉืœื™ืฉื™, ืชื•ืš 10 ืฉื ื™ื•ืช ื–ื” ืžื—ื–ื™ืจ ืื•ืชื™ ืื—ื•ืจื”, ื•-mstsc ื ื•ืชืŸ ืฉื’ื™ืื”. ื›ืคื™ ืฉื ื™ืชืŸ ืœืจืื•ืช ื‘ื™ื•ืžื ื™ื.

ื”ืกื‘ืจื™ื. ืื ื™ ืจื—ื•ืง ืžืœื”ื™ื•ืช ืžืืกื˜ืจ ื”ืืคืจื•ืงืกื™. ืื ื™ ืœื ืžื‘ื™ืŸ ืœืžื”, ืœืžืฉืœ
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
ืžืืคืฉืจ ืœืš ืœืขืฉื•ืช ื‘ืขืจืš 10 ื˜ืขื•ื™ื•ืช ืœืคื ื™ ืฉื–ื” ืขื•ื‘ื“.

ืื ื™ ืžื‘ื•ืœื‘ืœ ืœื’ื‘ื™ ืžืกืคื•ืจ ื”ืžื•ื ื™ื. ืžืืกื˜ืจื™ื ืฉืœ ื”ืคืจื•ืงืกื™, ืื ื™ ืืฉืžื— ืื ืชืฉืœื™ืžื• ืื•ืชื™, ืชืชืงื ื• ืื•ืชื™, ืชืฉืคืจื• ืื•ืชื™.

ื‘ื”ืขืจื•ืช ืืชื” ื™ื›ื•ืœ ืœื”ืฆื™ืข ื“ืจื›ื™ื ืื—ืจื•ืช ืœื”ื’ืŸ ืขืœ RD Gateway, ื–ื” ื™ื”ื™ื” ืžืขื ื™ื™ืŸ ืœืœืžื•ื“.

ื‘ื ื•ื’ืข ืœ-Windows Remote Desktop Client (mstsc), ืจืื•ื™ ืœืฆื™ื™ืŸ ืฉื”ื•ื ืื™ื ื• ืชื•ืžืš ื‘-TLS1.2 (ืœืคื—ื•ืช ื‘-Windows 7), ืื– ื ืืœืฆืชื™ ืœืขื–ื•ื‘ ืืช TLS1; ืœื ืชื•ืžืš ื‘ืฆื•ืคืŸ ื”ื ื•ื›ื—ื™, ืื– ื ืืœืฆืชื™ ืœืขื–ื•ื‘ ื’ื ืืช ื”ื™ืฉื ื™ื.

ืœืžื™ ืฉืœื ืžื‘ื™ืŸ ื›ืœื•ื, ืจืง ืœื•ืžื“ ื•ื›ื‘ืจ ืจื•ืฆื” ืœื”ืฆืœื™ื—, ืื ื™ ืืชืŸ ืœืš ืืช ื›ืœ ื”ืชืฆื•ืจื”.

haproxy.conf

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        #ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        #ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
        ssl-default-bind-options no-sslv3
        ssl-server-verify none


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  15m
        timeout server  15m
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


frontend fe_rdp_tsc
    bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
    mode http
    capture request header Host len 32
    log global
    option httplog
    timeout client 300s
    maxconn 1000

    stick-table type ip size 1k expire 15s store gpc0
    tcp-request connection track-sc0 src
    tcp-request connection reject if { sc0_get_gpc0 gt 0 }

    acl rdweb_domain hdr(host) -i beg dektop.example.com
    http-request deny deny_status 400 if !rdweb_domain
    default_backend be_rdp_tsc


backend be_rdp_tsc
    balance source
    mode http
    log global

    stick-table type ip size 1k expire 15s store http_err_rate(10s)
    acl errors_too_fast sc1_http_err_rate gt 8
    acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
    acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
    tcp-request content track-sc1 src
    tcp-request content reject if errors_too_fast mark_as_abuser
    tcp-request content accept if !errors_too_fast clear_as_abuser

    option forwardfor
    http-request add-header X-CLIENT-IP %[src]

    option httpchk GET /
    cookie RDPWEB insert nocache
    default-server inter 3s    rise 2  fall 3
    server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
    server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02


frontend fe_stats
    mode http
    bind *:8080
    acl ip_allow_admin src 192.168.66.66
    stats enable
    stats uri /stats
    stats refresh 30s
    #stats admin if LOCALHOST
    stats admin if ip_allow_admin

ืœืžื” ืฉื ื™ ืฉืจืชื™ื ื‘ืงืฆื” ื”ืื—ื•ืจื™? ื›ื™ ื›ื›ื” ืืคืฉืจ ืœืขืฉื•ืช ืกื•ื‘ืœื ื•ืช ืœืชืงืœื•ืช. Haproxy ื™ื›ื•ืœ ื’ื ืœื™ืฆื•ืจ ืฉื ื™ื™ื ืขื ip ืœื‘ืŸ ืฆืฃ.

ืžืฉืื‘ื™ ืžื—ืฉื•ื‘: ืืชื” ื™ื›ื•ืœ ืœื”ืชื—ื™ืœ ืขื "ืฉื ื™ ื”ื•ืคืขื•ืช, ืฉืชื™ ืœื™ื‘ื•ืช, ืžื—ืฉื‘ ื’ื™ื™ืžื™ื ื’." ืœืคื™ ื•ื™ืงื™ืคื“ื™ื” ื–ื” ื™ืกืคื™ืง ืœื—ืกื•ืš.

ืงื™ืฉื•ืจื™ื:

ื”ื’ื“ืจืช rdp-gateway ืž-HAProxy
ื”ืžืืžืจ ื”ื™ื—ื™ื“ ืฉืžืฆืืชื™ ืฉื‘ื• ื”ื ื˜ืจื—ื• ืœื”ืคืขื™ืœ ืืช ื”ืกื™ืกืžื” ื‘ื›ื•ื—

ืžืงื•ืจ: www.habr.com

ื”ื•ืกืคืช ืชื’ื•ื‘ื”