TransWikia.com

How can I configure haproxy to put two frontends to access owa online?

Server Fault Asked by roney IT on January 16, 2021

I am facing a problem with HAPROXY on an Ubuntu 16.04 server when redirecting to show OWA on the internet. I have a domain, and I installed exchange server 2013 on windows server 2012 r2.
I need to use a second frontend with tcp for OWA on both 443 and 80 ports.

The problem is that OWA appears sometimes and after refresh the page it gives error or another site of mine with different CA, because of the old frontend haproxy-in (mode http). I have LetsEncrypt for all my sites assigned to port 443.

Please, I need a solution to open OWA and the other sites with.

This is my haproxy configuration file from the first frontend:

frontend haproxy_in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/mdl.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/mail.ief.tishreen.edu.sy.pem  crt /etc/haproxy/certs/lib.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/www.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/educloud.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/vpn.ief.tishreen.edu.sy.pem
mode http
# Define Path For LetsEncrypt.........................
acl is_letsencrypt path_beg -i /.well-known/acme-challenge/
use_backend letsencrypt if is_letsencrypt
# Define hosts........................................
acl is_moodle hdr_dom(host) -i mdl.ief.tishreen.edu.sy
acl is_lib hdr_dom(host) -i lib.ief.tishreen.edu.sy
acl is_mail hdr_dom(host) -i mail.ief.tishreen.edu.sy
acl is_vpn hdr_dom(host) -i vpn.ief.tishreen.edu.sy
acl is_www hdr_dom(host) -i www.ief.tishreen.edu.sy
# Direct hosts to backend..............................
use_backend moodle if is_moodle
use_backend lib if is_lib
use_backend vpn if is_vpn
use_backend www if is_www
default_backend base
# Redirect port 80 t0 443 except lets encrypt............
redirect scheme https code 301 if !{ ssl_fc } !is_letsencrypt
### exchange owa frontend####
frontend exchange-server
bind *:80
bind *:443
mode tcp
acl is_mail hdr_dom(host) -i mail.ief.tishreen.edu.sy
use_backend mail if is_mail

default_backend base

backend mail
balance roundrobin
mode tcp
server vm3 172.17.16.22:443 check
######################
#            #
#   Backends     #
#            #
######################
backend letsencrypt
server letsencrypt 127.0.0.1:8888
backend moodle
balance roundrobin
mode http
server vm1 172.17.16.20:80 check

backend lib
balance roundrobin
mode http
server vm2 172.17.16.18:80/akasia check


backend vpn
balance roundrobin
mode http
server vm4 172.17.16.35:1194 check

backend www
balance roundrobin
mode http
server vm5 172.17.16.25:80 check

backend base
balance roundrobin
mode http
server vmtest 172.17.16.25:80 check


###############################
exchangeexchange 2013haproxyhigh availabilitylinux

2 Answers

try this config with only one frontend (I use one public IP and two internal servers with SSL) Both Servers are reacheable on port 443 and 80 (80 is needed to renew the letsencrypt certs). Servers are in different subnets without issues. I don't have any certs on the haproxy site, and same names in the internal and public dns.

frontend ft_ssl_vip
  mode tcp
  bind *:443
  bind *:80
  tcp-request inspect-delay 5s
  acl sslv3 req.ssl_ver 3
  tcp-request content reject if sslv3
  tcp-request content accept if { req_ssl_hello_type 1 }
  default_backend bk_ssl_default

backend bk_ssl_default
  mode tcp
# Using SNI to take routing decision
  acl exchange1 req_ssl_sni -i email.tld.com
  acl exchange2 req_ssl_sni -i autodiscover.tld.com
  acl nextcloud1 req_ssl_sni -i cloud.tld.com
  use-server server1 if exchange1
  use-server server1 if exchange2
  use-server server2 if nextcloud1

  stick-table type binary len 32 size 30k expire 30m

  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
  tcp-response content accept if serverhello

  stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello

  option ssl-hello-chk
  server server1 192.168.xx1.xx1 check
  server server2 192.168.xx2.xx2 check

Answered by alex on January 16, 2021

Using tcp as backend mode for an https connection will not work when the HAproxy itself is acting like an SSL terminator.

There are two ways to get your configuration working based on your setup:

1: Edit your OWA configuration to allow http connections and then use http as backend mode leaving the SSL job only to HAProxy.

2: Edit your HAProxy config to use https and no ssl verification on backend, something like:

backend mail
    balance roundrobin
    mode http
    server vm3 172.17.16.22:443 ssl verify none

Answered by Luigi Pressello on January 16, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP