CalDav doesn't not work through HAProxy


#1

Hello

I have a HAProxy server (1.5.8) in front of an Owncloud server (9.1.0).

I can register an iOS or Android device to my Owncloud agendas (using CalDav) but when it comes to using Mac OS X calendar client it does not work ! I have an error on the client side saying the username / password cannot be verified. If I bypass HAProxy and connects to the Owncloud server directly it works just fine.

HAProxy config:

global
log 127.0.0.1 local0
#log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL).
    ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3
    tune.ssl.default-dh-param 2048 #tune DH to 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend public
bind *:80
bind *:443 ssl crt /etc/haproxy/letsencrypt/

    redirect scheme https if !{ ssl_fc }
    mode http
    acl owncloud hdr(host) -i owncloud.myserver.com
    use_backend owncloud_server if owncloud

backend owncloud_server
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
rspadd X-XSS-Protection:\ 1;\ mode=block #enable XSS protection for this backend
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server srv01 10.10.10.101:80 cookie A check

Here are the logs from the HAProxy server when I try to register my Mac OS X client:

Aug 30 13:00:08 localhost haproxy[9586]: 10.10.10.119:47998 [30/Aug/2016:13:00:08.487] public~ owncloud_server/srv01 208/0/1/0/209 301 577 - - --NN 0/0/0/0/0 0/0 "PROPFIND /.well-known/caldav HTTP/1.1"
Aug 30 13:00:08 localhost haproxy[9586]: 10.10.10.119:48006 [30/Aug/2016:13:00:08.744] public~ owncloud_server/srv01 56/0/0/85/141 405 998 - - --NN 0/0/0/0/0 0/0 "PROPFIND / HTTP/1.1"
Aug 30 13:00:09 localhost haproxy[9586]: 10.10.10.119:48012 [30/Aug/2016:13:00:08.932] public~ owncloud_server/srv01 52/0/0/85/137 405 1002 - - --NN 0/0/0/0/0 0/0 "PROPFIND /caldav/v2 HTTP/1.1"
Aug 30 13:00:09 localhost haproxy[9586]: 10.10.10.119:48016 [30/Aug/2016:13:00:09.122] public~ owncloud_server/srv01 54/0/0/82/136 405 1002 - - --NN 0/0/0/0/0 0/0 "PROPFIND /principals/users/Alex/ HTTP/1.1"
Aug 30 13:00:09 localhost haproxy[9586]: 10.10.10.119:48024 [30/Aug/2016:13:00:09.305] public~ owncloud_server/srv01 18/0/0/81/99 405 998 - - --NN 0/0/0/0/0 0/0 "PROPFIND /principals/ HTTP/1.1"
Aug 30 13:00:09 localhost haproxy[9586]: 10.10.10.119:48030 [30/Aug/2016:13:00:09.455] public~ owncloud_server/srv01 65/0/0/82/147 405 1014 - - --NN 0/0/0/0/0 0/0 “PROPFIND /dav/principals/ HTTP/1.1”

Logs when I register an iOS client:

Aug 30 13:23:24 localhost haproxy[9586]: 10.10.10.119:34846 [30/Aug/2016:13:23:24.009] public~ owncloud_server/srv01 122/0/1/53/176 401 1319 - - --NN 0/0/0/0/0 0/0 "PROPFIND /remote.php/dav/principals/users/Alex/ HTTP/1.1"
Aug 30 13:23:24 localhost haproxy[9586]: 10.10.10.119:34854 [30/Aug/2016:13:23:24.242] public~ owncloud_server/srv01 58/0/0/148/206 207 1697 - - --NN 0/0/0/0/0 0/0 "PROPFIND /remote.php/dav/principals/users/Alex/ HTTP/1.1"
Aug 30 13:23:24 localhost haproxy[9586]: 10.10.10.119:34864 [30/Aug/2016:13:23:24.512] public~ owncloud_server/srv01 26/0/0/150/176 200 1653 - - --NN 0/0/0/0/0 0/0 “OPTIONS /remote.php/dav/principals/users/Alex/ HTTP/1.1”

Any idea ?

Thanks