Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
371 views
in Technique[技术] by (71.8m points)

Haproxy multiple frontend/IP wrong backend

I am facing some logical error when using the following configuration. In the configuration, I am trying to integrate a single haproxy server servicing for both Microsoft Exchange as well as the SkypeForBusiness.

global

        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
#!!!ENABLIING_MULTITHREADING!!!
  nbproc 1
  nbthread 8
  cpu-map auto:1/1-8 0-7
#!!!!

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
#!!!!!!!
        option  forwardfor      except 127.0.0.0/8
        option  redispatch
        retries 3
        timeout http-request    10s
        timeout queue   1m
        timeout connect 10s
        timeout client  15m # this value should be rather high with Exchange
        timeout server  15m # this value should be rather high with Exchange
        timeout http-keep-alive 10s
        timeout check   10s
        maxconn 100000
#!!!!!!!
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
#!!!!HAPROXY_STATS!!!!!!
listen  HAPROXY_STATS
        bind 0.0.0.0:1936
        stats enable
        stats refresh 10s
        stats show-node
        stats auth myoo:wuff
        stats hide-version
        stats uri  /stats_haproxy
        log global
        mode http
        maxconn 10
#!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!SKYPE_CONFIGURATION!!!!
frontend FE_SKYPE2015
        mode tcp
        bind 192.168.40.65:80
        bind 192.168.40.65:443 ssl crt /etc/ssl/certs/contoso_com_PKI.pem
        default_backend SKP
backend SKP
        mode tcp
        balance roundrobin
        default-server inter 5s fall 3 rise 2
        server SKP_FE01 192.168.40.149:4443 check ssl verify none
        server SKP_FE02 192.168.40.150:4443 check ssl verify none
        server SKP_FE03 192.168.40.151:4443 check ssl verify none
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!EXCHANGE_CONFIGURATION!!!!
frontend FE_EXCHANGE2019
        http-response set-header X-Frame-Options SAMEORIGIN
        http-response set-header X-Content-Type-Options nosniff
        mode http
        bind 192.168.40.64:80
        bind 192.168.40.64:443 ssl crt /etc/ssl/certs/contoso_com_PKI.pem
        redirect scheme https code 301 if !{ ssl_fc }   # redirect 80 -> 443 (for owa)
        acl AUTODISCOVER url_beg /Autodiscover
        acl AUTODISCOVER url_beg /autodiscover
        acl MAPI url_beg /mapi
        acl MAPI url_beg /Mapi
        acl MAPI url_beg /MAPI
        acl RPC url_beg /rpc
        acl RPC url_beg /RPC
        acl RPC url_beg /Rpc
        acl OWA url_beg /owa
        acl OWA url_beg /OWA
        acl OWA url_beg /Owa
        acl EAS url_beg /Microsoft-Server-ActiveSync
        acl EAS url_beg /microsoft-server-activesync
        acl ECP url_beg /ecp
        acl ECP url_beg /Ecp
        acl ECP url_beg /ECP
        acl EWS url_beg /EWS
        acl EWS url_beg /ews
        acl EWS url_beg /Ews
        acl OAB url_beg /OAB
        acl OAB url_beg /Oab
        acl OAB url_beg /oab
        acl IS_ROOT path -i /
        acl IS_DOMAIN_MAIN hdr(host) -i mail.contoso.com
        redirect code 301 location http://mail.contoso.com/owa if IS_DOMAIN_MAIN IS_ROOT
        use_backend BE_EXCHANGE2019_AUTODISCOVER if AUTODISCOVER
        use_backend BE_EXCHANGE2019_MAPI if MAPI
        use_backend BE_EXCHANGE2019_RPC if RPC
        use_backend BE_EXCHANGE2019_OWA if OWA
        use_backend BE_EXCHANGE2019_EAS if EAS
        use_backend BE_EXCHANGE2019_ECP if ECP
        use_backend BE_EXCHANGE2019_EWS if EWS
        use_backend BE_EXCHANGE2019_OAB if OAB
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!!!!!!!!!!!!!!BACKEND_SECTION!!!!
backend BE_EXCHANGE2019_AUTODISCOVER
        mode http
        balance roundrobin
        option httpchk GET /autodiscover/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_MAPI
        mode http
        balance roundrobin
        option httpchk GET /mapi/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_RPC
        mode http
        balance roundrobin
        option httpchk GET /rpc/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_OWA
        mode http
        balance roundrobin
        option httpchk GET /owa/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_EAS
        mode http
        balance roundrobin
        option httpchk GET /microsoft-server-activesync/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_ECP
        mode http
        balance roundrobin
        option httpchk GET /ecp/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_EWS
        mode http
        balance roundrobin
        option httpchk GET /ews/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none

backend BE_EXCHANGE2019_OAB
        mode http
        balance roundrobin
        option httpchk GET /oab/healthcheck.htm
        option log-health-checks
        http-check expect status 200
        default-server inter 5s fall 3 rise 2
        server MBX01 192.168.40.97:443 cookie MBX01 check ssl verify none
        server MBX02 192.168.40.98:443 cookie MBX02 check ssl verify none
        server MBX03 192.168.40.99:443 cookie MBX03 check ssl verify none
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The problem is when I am browsing the https://meet.contoso.com, with the IP address of 192.168.40.65, it shows the OWA content on the 192.168.40.64 server and the url is being redirected to https://meet.constoso.com/owa where it should serve the 192.168.40.149-151 in 4443. any help is much appreciated. Haproxy version: OS == Debian 10

HA-Proxy version 1.8.19-1+deb10u2 2020/04/01
Copyright 2000-2019 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-ap5Gic/haproxy-1.8.19=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...