Hello. We have an Exchange server. Right now we are balancing it with DNS. I want to implement HAProxy.
Can someone show me a working configuration?
Doing a search on these forums should have given you what you need, but still, and this is a snipped old config so YMMV…
global
h1-case-adjust accept Accept
h1-case-adjust authorization Authorization
h1-case-adjust authrequired AuthRequired
h1-case-adjust cache-control Cache-Control
h1-case-adjust client-request-id Client-Request-Id
h1-case-adjust connection Connection
h1-case-adjust content-length Content-Length
h1-case-adjust content-type Content-Type
h1-case-adjust cookie Cookie
h1-case-adjust date Date
h1-case-adjust host Host
h1-case-adjust persistent-auth Persistent-Auth
h1-case-adjust pragma Pragma
h1-case-adjust request-header Request-Header
h1-case-adjust response-header Response-Header
h1-case-adjust server Server
h1-case-adjust set-cookie Set-Cookie
h1-case-adjust status-code Status-Code
h1-case-adjust transfer-encoding Transfer-Encoding
h1-case-adjust user-agent User-Agent
h1-case-adjust www-authenticate WWW-Authenticate
h1-case-adjust x-anchormailbox X-AnchorMailbox
h1-case-adjust x-clientapplication X-ClientApplication
h1-case-adjust x-clientInfo X-ClientInfo
h1-case-adjust x-content-type-options X-Content-Type-Options
h1-case-adjust x-deviceinfo X-DeviceInfo
h1-case-adjust x-elapsedtime X-ElapsedTime
h1-case-adjust x-expirationinfo X-ExpirationInfo
h1-case-adjust x-feserver X-FEServer
h1-case-adjust x-mapihttpcapability X-MapiHttpCapability
h1-case-adjust x-pendingperiod X-PendingPeriod
h1-case-adjust x-powered-by X-Powered-By
h1-case-adjust x-requestid X-RequestId
h1-case-adjust x-requesttype X-RequestType
h1-case-adjust x-responsecode X-ResponseCode
h1-case-adjust x-serverapplication X-ServerApplication
h1-case-adjust x-starttime X-StartTime
h1-case-adjust x-user-identity X-User-Identity
defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 5
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 15m
timeout server 15m
timeout http-keep-alive 45m
timeout check 10s
maxconn 100000
frontend fe_ex2019
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
mode http
bind 1.2.3.30:80
bind 1111:2222:3333:4444::30:80 transparent
bind 1.2.3.30:443 ssl crt /etc/ssl/certs/exchcert.pem
bind 1111:2222:3333:4444::30:443 transparent ssl crt /etc/ssl/certs/exchcert.pem
redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443 (for owa)
acl autodiscover url_beg /Autodiscover
acl autodiscover url_beg /autodiscover
acl autodiscover url_beg /AutoDiscover
acl mapi url_beg /mapi
acl mapi url_beg /Mapi
acl rpc url_beg /rpc/rpcproxy.dll
acl owa url_beg /owa
acl owa url_beg /OWA
acl eas url_beg /Microsoft-Server-ActiveSync
#acl ecp url_beg /ecp
acl ews url_beg /EWS
acl ews url_beg /ews
acl oab url_beg /OAB
option h1-case-adjust-bogus-client
use_backend be_ex2019_autodiscover if autodiscover
use_backend be_ex2019_mapi if mapi
use_backend be_ex2019_rpc if rpc
use_backend be_ex2019_owa if owa
use_backend be_ex2019_eas if eas
#use_backend be_ex2019_ecp if ecp
use_backend be_ex2019_ews if ews
use_backend be_ex2019_oab if oab
default_backend be_ex2019
backend be_ex2019_autodiscover
mode http
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019_mapi
mode http
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019_rpc
mode http
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019_owa
mode http
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019_eas
mode http
balance roundrobin
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
### Do you REALLY need to make this publicly available? ####
#backend be_ex2019_ecp
# mode http
# balance roundrobin
# option httpchk GET /ecp/healthcheck.htm
# option log-health-checks
# http-check expect status 200
# server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
# server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
# server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
# server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019_ews
mode http
balance roundrobin
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019_oab
mode http
balance roundrobin
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
backend be_ex2019
mode http
balance roundrobin
server server1-ipv4 1.2.3.94:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server1-ipv6 1111:2222:3333:4444::1:1:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv4 1.2.3.95:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
server server2-ipv6 1111:2222:3333:4444::1:2:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-certificates.crt
#frontend fe_exchange_smtp We don't use exchange for SMTP, have a different hosts doing that...
# mode tcp
# option tcplog
# bind x.x.x.x:25 name smtp # VIP
# default_backend be_exchange_smtp
#
#backend be_exchange_smtp
# mode tcp
# option tcplog
# balance roundrobin
# option log-health-checks
# server exchange1 1.1.1.1:25 weight 10 check
# server exchange2 2.2.2.2:25 weight 20 check
1 Like
So… to save someone a lot of time troubleshooting this. The health-check in the above example is in legacy format. The modern format that works is as follows:
option log-health-checks
http-check connect ssl sni exchange.example.dev alpn http/1.1
http-check send meth GET uri /owa/healthcheck.htm hdr host exchange.example.dev
http-check expect status 200
The omission of H2 in ALPN is intentional, as it looks like IIS has problems with HAProxy’s HTTP/2 health checks and yields error 400, which then causes error 503 from haproxy, because the health checks are all failed.