Setup AliYun GA
Setup HAProxy / Nginx to load subdomain
HaProxy solution
nano /etc/haproxy/haproxy.cfg
# generated 2022-02-11, Mozilla Guideline v5.6, HAProxy 2.5, OpenSSL 1.1.1k, intermediate configuration
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-dh-param-file /etc/haproxy/dhparam
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
#------
# HTTPS Frontend listener
#------
frontend http_frontend
bind :80
mode http
redirect scheme https code 301 if !{ ssl_fc }
frontend https_frontend
bind :443
option tcplog
mode tcp
# Enable SSL Passthrough, TCP Transparent proxy
tcp-request inspect-delay 5s
# tcp-request content capture req.ssl_sni len 25
tcp-request content accept if { req.ssl_hello_type 1 }
#------
# ACL
#------
acl acl_cn_media req_ssl_sni -i cn-media.xxx.com
acl acl_cn_assets req_ssl_sni -i cn-assets.xxx.com
acl acl_cn_www req_ssl_sni -i cn.xxx.com
#------
# ACL Condition
#------
use_backend cn_www if acl_cn_www
use_backend cn_media if acl_cn_media
# use_backend cn_www if { req_ssl_sni -i cn.xxx.com }
# use_backend cn_media if { req_ssl_sni -i cn-media.xxx.com }
default_backend cn_media
#------
# Backend services
#------
backend cn_www
mode tcp
option ssl-hello-chk
server elb 1234.ap-southeast-1.elb.amazonaws.com:443
backend cn_media
mode tcp
option ssl-hello-chk
server cloudfront 1234.cloudfront.net:443
Nginx Solution
# 加入 tcp stream
nano /etc/nginx/nginx.conf
include /etc/nginx/tcpconf.d/*;
# 設定 tcp stream
nano /etc/nginx/tcpconf.d# cat cn-xxx.proxy
stream {
map $ssl_preread_server_name $targetBackend {
cn-media.xxx.com 1234.cloudfront.net:443;
cn-assets.xxx.com 1234.cloudfront.net:443;
}
server {
listen 443;
proxy_connect_timeout 1s;
proxy_timeout 3s;
resolver 1.1.1.1;
proxy_pass $targetBackend;
ssl_preread on;
}
}