I am trying to setup haproxy with ubuntu 18 but cant figure out how to set everyting up.
I want to use internal 2 servers with 1 public IP, both servers use ports 80 and 443 and have their own subdomain.
Situation
1 Exchange 2016 server exchage.domain.com internal IP 192.168.1.10
1 Ubuntu nextcloud server nextcloud.domain.com internal IP 192.168.1.5
1 ubuntu server with HAProxy installed IP 192.168.1.2
1 Router IP 192.168.1.1
Both servers (exchange and nextcloud) have ssl certs that auto renew from lets encypt and both servers need port 80 and 443 open.
How can i setup HAProxy that trafic for the exchange server and nextcloud server is deliverd to to correct exchange and nextcloud servers ?
frontend exchange
bind 192.168.1.2:443 name https
default_backend exchange_servers
backend exchange_servers
server exchangesrv.domain.nl 192.168.1.10 check port 443
server nextcloud.domain.nl 192.168.1.5 check port 443
1 problem the exchange server is using the cert from the nextcloud, how can i change it that every server uses its own certificate ?
Now i get a certificate error on my exchange server.
That’s wrong. You configured haproxy to load-balance between 2 different servers.
You need to content switch on port 80 based on the Host header (in HTTP mode) and on port 443 based on the SNI value (in TCP mode), something like:
frontend http
mode http
bind :80
use_backend exchangesrv_http if { hdr(Host) -i exchangesrv.domain.nl }
use_backend nextcloud_http if { hdr(Host) -i nextcloud.domain.nl }
backend exchangesrv_http
mode http
server exchangesrv 192.168.1.10:80
backend nextcloud_http
mode http
server nextcloud 192.168.1.5:80
frontend https
mode tcp
bind :443 name https
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend exchangesrv_https if { req_ssl_sni -i exchangesrv.domain.nl }
use_backend nextcloud_https if { req_ssl_sni -i nextcloud.domain.nl }
backend exchangesrv_https
mode tcp
server exchangesrv 192.168.1.10:443
backend nextcloud_https
mode tcp
server nextcloud 192.168.1.5:443
Also make sure the certificates don’t overlap (not wildcard or SANs covering the other hostname), otherwise browser will try to reuse a connection that is pointing to the wrong server.
Thank you very much!, the certificate error is fixed, now both servers get the right certificate.
the exchange and nextcloud server get their own certificate from lets encrypt.
Only one small problem left, my outlook clients keep asking me for a password, it works a few seconds then disconnects.
On my iphone mail from exchange works with no problems, also owa/webmail works good, its the office outlook that keeps asking for password.
do you know what that could be ?
here is part of my logs, i am unsure if there is anything wrong in it.
from the haproxy instance. You may have a firewall issue or something like that, not allowing HTTP traffic towards this. Or maybe you just need to configure the client to use HTTPS instead.
edit: you can try redirecting to HTTPS if your exchange instance doesn’t provide HTTP, remove:
use_backend exchangesrv_http if { hdr(Host) -i exchangesrv.domain.nl }
and add (only in the http frontend):
redirect scheme https if { hdr(Host) -i exchangesrv.domain.nl }
I tried changing the redirecting to HTTPS like you suggested but also no result, the moment i start outlook it works for 5 seconds, then it keeps requesting for a password.
Once i switch back the open port 443 to IP 192.168.1.10 it works again.
i am still trying to disable my firewall but that isnt so easy on a USG Ubiquity is see
I am lost, tried everything, even reinstalled HAPProxy on a fresh ubuntu server, cant really do anything wrong with the installation.
Disabled the local firewall from the windows exchange 2016 server
Changed IP from the HAProxy.
Outlook 2016 keeps asking for a password, strange thing is that it is a login screen from 365 and not my own server.
i use EOP so my MX record is forwarded to 0 mydomain-nl.mail.protection.outlook.com.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA$
ssl-default-bind-options no-sslv3