1 Public IP 2 webservers ports 80/443 how to?

dayfly · August 31, 2019, 7:41am

I am trying to setup haproxy with ubuntu 18 but cant figure out how to set everyting up.

I want to use internal 2 servers with 1 public IP, both servers use ports 80 and 443 and have their own subdomain.

Situation
1 Exchange 2016 server exchage.domain.com internal IP 192.168.1.10
1 Ubuntu nextcloud server nextcloud.domain.com internal IP 192.168.1.5
1 ubuntu server with HAProxy installed IP 192.168.1.2
1 Router IP 192.168.1.1

Both servers (exchange and nextcloud) have ssl certs that auto renew from lets encypt and both servers need port 80 and 443 open.

How can i setup HAProxy that trafic for the exchange server and nextcloud server is deliverd to to correct exchange and nextcloud servers ?

dayfly · August 31, 2019, 4:42pm

i managed to get it working with this

frontend exchange
bind 192.168.1.2:443 name https
default_backend exchange_servers

backend exchange_servers
server exchangesrv.domain.nl 192.168.1.10 check port 443
server nextcloud.domain.nl 192.168.1.5 check port 443

1 problem the exchange server is using the cert from the nextcloud, how can i change it that every server uses its own certificate ?
Now i get a certificate error on my exchange server.

lukastribus · September 1, 2019, 2:10pm

That’s wrong. You configured haproxy to load-balance between 2 different servers.

You need to content switch on port 80 based on the Host header (in HTTP mode) and on port 443 based on the SNI value (in TCP mode), something like:

frontend http
 mode http
 bind :80
 use_backend exchangesrv_http if { hdr(Host) -i exchangesrv.domain.nl }
 use_backend nextcloud_http if { hdr(Host) -i nextcloud.domain.nl }

backend exchangesrv_http
 mode http
 server exchangesrv 192.168.1.10:80

backend nextcloud_http
 mode http
 server nextcloud 192.168.1.5:80


frontend https
 mode tcp
 bind :443 name https
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend exchangesrv_https if { req_ssl_sni -i  exchangesrv.domain.nl }
 use_backend nextcloud_https if { req_ssl_sni -i  nextcloud.domain.nl }

backend exchangesrv_https
 mode tcp
 server exchangesrv 192.168.1.10:443

backend nextcloud_https
 mode tcp
 server nextcloud 192.168.1.5:443

Also make sure the certificates don’t overlap (not wildcard or SANs covering the other hostname), otherwise browser will try to reuse a connection that is pointing to the wrong server.

Also see:

dayfly · September 1, 2019, 4:39pm

Thank you very much!, the certificate error is fixed, now both servers get the right certificate.
the exchange and nextcloud server get their own certificate from lets encrypt.

Only one small problem left, my outlook clients keep asking me for a password, it works a few seconds then disconnects.
On my iphone mail from exchange works with no problems, also owa/webmail works good, its the office outlook that keeps asking for password.

do you know what that could be ?
here is part of my logs, i am unsure if there is anything wrong in it.

Sep 1 16:33:34 haproxy haproxy[1161]: 192.168.1.1:55289 [01/Sep/2019:16:33:34.382] http http/ -1/-1/-1/-1/0 503 213 - - SC-- 5/1/0/0/0 0/0 “GET /autodiscover/autodiscover.xml HTTP/1.1”
Sep 1 16:33:34 haproxy haproxy[1161]: 192.168.1.1:55290 [01/Sep/2019:16:33:34.388] http http/ -1/-1/-1/-1/0 503 213 - - SC-- 5/1/0/0/0 0/0 “GET /autodiscover/autodiscover.xml HTTP/1.1”
Sep 1 16:33:42 haproxy haproxy[1161]: 192.168.1.1:55292 [01/Sep/2019:16:33:42.892] https https/ -1/-1/0 0 SC 6/6/0/0/0 0/0
Sep 1 16:33:42 haproxy haproxy[1161]: 192.168.1.1:55293 [01/Sep/2019:16:33:42.892] https https/ -1/-1/0 0 SC 5/5/0/0/0 0/0
Sep 1 16:33:51 haproxy haproxy[1161]: 192.168.1.1:55079 [01/Sep/2019:16:29:29.670] https remote_https/remote 1/0/261770 28368 CD 4/4/3/3/0 0/0
Sep 1 16:33:51 haproxy haproxy[1161]: 192.168.1.1:55094 [01/Sep/2019:16:29:30.910] https remote_https/remote 1/0/260588 2368 CD 3/3/2/2/0 0/0

dayfly · September 2, 2019, 4:20pm

Is there anyone who has this working?

i have been reading for hours but i cant find a solution, only one but that was mac related, i also tried that with no luck.

the moment i forward port 443 back to the exchange server it works perfect again, so i think its a config somewhere in Haproxy, but where?

lukastribus · September 2, 2019, 4:56pm

dayfly:

Sep 1 16:33:34 haproxy haproxy[1161]: 192.168.1.1:55289 [01/Sep/2019:16:33:34.382] http http/ -1/-1/-1/-1/0 503 213 - - SC-- 5/1/0/0/0 0/0 “GET /autodiscover/autodiscover.xml HTTP/1.1”
Sep 1 16:33:34 haproxy haproxy[1161]: 192.168.1.1:55290 [01/Sep/2019:16:33:34.388] http http/ -1/-1/-1/-1/0 503 213 - - SC-- 5/1/0/0/0 0/0 “GET /autodiscover/autodiscover.xml HTTP/1.1”

This means haproxy cannot reach the exchange server on port 80.

Please provide the output of:

curl -v "http://192.168.1.10:80/autodiscover/autodiscover.xml"

from the haproxy instance. You may have a firewall issue or something like that, not allowing HTTP traffic towards this. Or maybe you just need to configure the client to use HTTPS instead.

edit: you can try redirecting to HTTPS if your exchange instance doesn’t provide HTTP, remove:

use_backend exchangesrv_http if { hdr(Host) -i exchangesrv.domain.nl }

and add (only in the http frontend):

redirect scheme https if { hdr(Host) -i exchangesrv.domain.nl }

dayfly · September 2, 2019, 6:39pm

Output from curl -v “http://192.168.1.10:80/autodiscover/autodiscover.xml”

admin@haproxy:~$ curl -v http://192.168.1.10:80/autodiscover/autodiscover.xml

Trying 192.168.1.10…
TCP_NODELAY set
Connected to 192.168.1.10 (192.168.1.10) port 80 (#0)

GET /autodiscover/autodiscover.xml HTTP/1.1
Host: 192.168.1.10
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 401 Unauthorized
< Server: Microsoft-IIS/10.0
< request-id: 0e8aa857-5983-462c-b20b-185f3b61909c
< X-SOAP-Enabled: True
< X-WSSecurity-Enabled: True
< X-WSSecurity-For: None
< X-OAuth-Enabled: True
< WWW-Authenticate: Basic realm=“192.168.1.10”
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< X-FEServer: SRV1
< Date: Mon, 02 Sep 2019 18:29:59 GMT
< Content-Length: 0
<

Connection #0 to host 192.168.1.10 left intact

I tried changing the redirecting to HTTPS like you suggested but also no result, the moment i start outlook it works for 5 seconds, then it keeps requesting for a password.

Once i switch back the open port 443 to IP 192.168.1.10 it works again.

i am still trying to disable my firewall but that isnt so easy on a USG Ubiquity is see

lukastribus · September 2, 2019, 7:07pm

curl works, so either haproxy itself is misconfigured, or your local OS has some kind of firewall.

Unless that firewall is between haproxy and your exchange server, its should be irrelevant.

dayfly · September 3, 2019, 11:57am

I am lost, tried everything, even reinstalled HAPProxy on a fresh ubuntu server, cant really do anything wrong with the installation.
Disabled the local firewall from the windows exchange 2016 server
Changed IP from the HAProxy.
Outlook 2016 keeps asking for a password, strange thing is that it is a login screen from 365 and not my own server.
i use EOP so my MX record is forwarded to 0 mydomain-nl.mail.protection.outlook.com.

global

    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA$
    ssl-default-bind-options no-sslv3

defaults

    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend http

mode http
bind :80
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:password
stats uri /haproxy?stats

redirect scheme https if { hdr(Host) -i remote.domein.nl }
use_backend cloud_http if { hdr(Host) -i cloud.domein.nl }

backend remote_http

mode http
server remote 192.168.1.10:80

backend cloud_http

mode http
server cloud 192.168.1.5:80

frontend https

mode tcp
bind :443 name https
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend remote_https if { req_ssl_sni -i remote.domain.nl }
use_backend cloud_https if { req_ssl_sni -i cloud.domein.nl }

backend remote_https

mode tcp
server remote 192.168.1.10:443

backend cloud_https

mode tcp
server cloud 192.168.1.5:443

dayfly · September 8, 2019, 6:38am

Update,

Moving from Hyper-V to VMware solved the problem.

i also had to put autodiscover in the config no idea why, but it works perfect now.

Topic		Replies	Views
Configuration example Help!	0	780	August 17, 2017
Backend server nginx down HAProxy Help!	20	2705	September 19, 2019
Configuration help for haproxy 1.8.9 Help!	0	1161	June 7, 2018
HAProxy + Nextcloud + Microsoft office online server Help!	0	181	May 3, 2024
Reverse proxy to Exchange and webserver Help!	0	901	October 9, 2018