Can HAProxy do this?

Hi,

We were trying to setup nginx for a reverse proxy for our network, but in my searching for answers to a problem I have been told that HAProxy would be the better tool. What we are trying to do is we have multiple servers behind 1 IP address that we want to serve via domains. The 2 main issues is 1 server is and exchange server which nginx does not pass the logins correctly. the 2nd server is no ssl only http but we want to have the HAProxy do ssl and then pass to http

From what I have read, for the exchange server we need to do SSL passthrough, but for the second server, we need to do SSLTermination. Can these be configured on one copy of HAProxy?

  1. CLIENT (https) — > (https) HAPROXY — > (https) EXCHANGE SERVER

2 CLIENT (https) — > (https) HAPROXY — > (http) WEBSITE

I just wanted to find out if this is possible before I get too far. Any suggestions or examples would be welcomed.

Thanks.

At a first read I thought this was just a basic use-case for HAProxy: have two servers (Exchange and website in your case) and route requests to them based on the Host header, and provide TLS termination.

However something seems off:

exchange server we need to do SSL passthrough

Is this an actual “requirement”? (Are you using TLS-based client authentication?)

(A) Because I read this “SSL passthrough” as: HAProxy should receives the TCP connection, inspects the SNI host from the TLS handshake, and if it is for the Exchange server just pass TLS data back-and-forth without “touching” (i.e. terminating and re-encrypting) the traffic.

(B) Or, is it acceptable for HAProxy to terminate the TLS connection (i.e. decipher the TLS connection), and if it is for Exchange, create another separate TLS connection to the server and pass the original request. (In this variant HAProxy would act as a “man-in-the-middle” by having access to the un-encrypted data between the client and Exchange, however still having encrypted data on the network; meanwhile in the first case, it wouldn’t.)


Assuming it’s (B), that’s trivial.

Assuming it’s (A), I think it is possible with HAProxy, although never done it myself. My assumption is that you need to:

  • create a mode tcp frontend, which does not use ssl in the bind option;
  • then by leveraging req.ssl_sni (HAProxy version 1.8.30 - Configuration Manual), you could identify within the TLS data traffic any connections that have the hostname of the Exchange server, and use that to choose the Exchange dedicated backend;
  • however if this is not the case (use default_backend to) send the request to a backend which has a server listening on loopback (perhaps using the send-proxy-v2 option), and
  • create another frontend, in mode http that binds with ssl on that local loopback address, thus terminating the TLS connection;
  • within this second backend you can now use Host header based routing like in a normal use-case;
  • (additionally you could have this second frontend listen also on http and redirect requests on https; )

I would strongly suggest sticking with the more simple (B) variant, unless you have a really good reason not to do so.

1 Like

Hi,

I’m OK with option B if it works, but I am having lots of trouble getting the Exchange to pass that through.

I found another forum post that gave a config file with exchange settings ( Haproxy and url rewrites to internal servers and urls ) , but exchange just fails with 503 service unavailable, no server is available to handle this request. It accepts the haproxy connection and the ssl certificate is correct and it redirects me to the owa but then comes up with a 503 error.

Could you perhaps paste the HAProxy configuration and be more specific on what errors are you encountering?

I’ve quickly looked at that post and saw nothing “out-of-the-ordinary”…

As said above, it would be helpful to provide the HAProxy configuration and perhaps more details on the error you are encountering. (For example the HAProxy log, maybe try that URL with curl -v -s -o /dev/null https://... and paste the output, etc.)

Hi,

I actually just solved this, it was a couple of tweaks in the config file that I had copies and also I needed to add the mail server to hosts file, your suggestion to try curl gave me the clue.

Thanks for your help.