I am facing some logical error when using the following configuration.
In the configuration, I am trying to integrate a single haproxy server servicing for both Microsoft Exchange as well as the SkypeForBusiness.
global
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
#!!!ENABLIING_MULTITHREADING!!!
nbproc 1
nbthread 8
cpu-map auto:1/1-8 0-7
#!!!!
defaults
log global
mode http
option httplog
option dontlognull
#!!!!!!!
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 15m # this value should be rather high with Exchange
timeout server 15m # this value should be rather high with Exchange
timeout http-keep-alive 10s
timeout check 10s
maxconn 100000
#!!!!!!!
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#!!!!HAPROXY_STATS!!!!!!
listen HAPROXY_STATS
bind 0.0.0.0:1936
stats enable
stats refresh 10s
stats show-node
stats auth myoo:wuff
stats hide-version
stats uri /stats_haproxy
log global
mode http
maxconn 10
#!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!SKYPE_CONFIGURATION!!!!
frontend FE_SKYPE2015
mode tcp
bind 192.168.40.65:80
bind 192.168.40.65:443 ssl crt /etc/ssl/certs/contoso_com_PKI.pem
default_backend SKP
backend SKP
mode tcp
balance roundrobin
default-server inter 5s fall 3 rise 2
server SKP_FE01 192.168.40.149:4443 check ssl verify none
server SKP_FE02 192.168.40.150:4443 check ssl verify none
server SKP_FE03 192.168.40.151:4443 check ssl verify none
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!EXCHANGE_CONFIGURATION!!!!
frontend FE_EXCHANGE2019
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
mode http
bind 192.168.40.64:80
bind 192.168.40.64:443 ssl crt /etc/ssl/certs/contoso_com_PKI.pem
redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443 (for owa)
acl AUTODISCOVER url_beg /Autodiscover
acl AUTODISCOVER url_beg /autodiscover
acl MAPI url_beg /mapi
acl MAPI url_beg /Mapi
acl MAPI url_beg /MAPI
acl RPC url_beg /rpc
acl RPC url_beg /RPC
acl RPC url_beg /Rpc
acl OWA url_beg /owa
acl OWA url_beg /OWA
acl OWA url_beg /Owa
acl EAS url_beg /Microsoft-Server-ActiveSync
acl EAS url_beg /microsoft-server-activesync
acl ECP url_beg /ecp
acl ECP url_beg /Ecp
acl ECP url_beg /ECP
acl EWS url_beg /EWS
acl EWS url_beg /ews
acl EWS url_beg /Ews
acl OAB url_beg /OAB
acl OAB url_beg /Oab
acl OAB url_beg /oab
acl IS_ROOT path -i /
acl IS_DOMAIN_MAIN hdr(host) -i mail.contoso.com
redirect code 301 location http://mail.contoso.com/owa if IS_DOMAIN_MAIN IS_ROOT
use_backend BE_EXCHANGE2019_AUTODISCOVER if AUTODISCOVER
use_backend BE_EXCHANGE2019_MAPI if MAPI
use_backend BE_EXCHANGE2019_RPC if RPC
use_backend BE_EXCHANGE2019_OWA if OWA
use_backend BE_EXCHANGE2019_EAS if EAS
use_backend BE_EXCHANGE2019_ECP if ECP
use_backend BE_EXCHANGE2019_EWS if EWS
use_backend BE_EXCHANGE2019_OAB if OAB
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!BACKEND_SECTION!!!!
backend BE_EXCHANGE2019_AUTODISCOVER
mode http
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_MAPI
mode http
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_RPC
mode http
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_OWA
mode http
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_EAS
mode http
balance roundrobin
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_ECP
mode http
balance roundrobin
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_EWS
mode http
balance roundrobin
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
backend BE_EXCHANGE2019_OAB
mode http
balance roundrobin
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
default-server inter 5s fall 3 rise 2
server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The problem is when I am browsing the https://meet.contoso.com, with the IP address of 192.168.40.65, it shows the OWA content on the 192.168.40.64 server and the url is being redirected to https://meet.constoso.com/owa where it should serve the 192.168.40.149-151 in 4443.
any help is much appreciated.
Haproxy version: OS == Debian 10
HA-Proxy version 1.8.19-1+deb10u2 2020/04/01
Copyright 2000-2019 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-ap5Gic/haproxy-1.8.19=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…