Hi, I’m new to HAPROXY and I have a problem with some clients that cannot access haproxy services from a specific network on WAN.
When they try to access it from a web browser it keeps waiting for a response. The first thing I figured is routing, but ping works, and when I try to access the stats page y pops out the authentication window, but then it just keeps working and nothing is returned. If I try to direct access the service backends bypassing the haproxy it works.
This is my setting:
- Servers: 2 CentOS 7 with keepalived cluster for HA.
- HAProxy: 1.5.18 (the one that comes with this CentOS version via yum).
- Network: 2 interfaces: ens160 (DMZ) and ens192 (LAN and WAN).
- Routes: default gateway configured for ens160. Specific static routes added for ens192.
- Firewall: ports 80, 443, 9000 and others are opened.
- SELinux: enabled (I tried disabling it, but no luck).
HAProxy Configuration (I modified some sensible info):
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
balance leastconn
default-server inter 3s rise 2 fall 3
#---------------------------------------------------------------------
# Exchange HTTPS Frontend
#---------------------------------------------------------------------
frontend exchange_https_frontend
bind *:443 name https ssl crt /etc/ssl/certs/mycert.pem
mode http
option http-keep-alive
no option httpclose
no option http-server-close
no option forceclose
option contstats
option dontlognull
log global
option httplog
option forwardfor except 127.0.0.0/8
timeout client 25s
timeout http-keep-alive 1s
timeout http-request 15s
maxconn 10000
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i my.mail.com
acl path_slash path /
acl path_owa path_beg -i /owa/
acl path_ecp path_beg -i /ecp/
acl path_ews path_beg -i /ews/
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_ps path_beg -i /Powershell/
acl path_oab path_beg -i /oab/
###acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm
# HTTP deny rules
http-request deny if path_check
# HTTP redirect rules
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect location /owa/ code 302 if path_slash host_mail
# HTTP routing rules
use_backend exchange_https_owa_backend if path_owa
use_backend exchange_https_ecp_backend if path_ecp
use_backend exchange_https_ews_backend if path_ews
use_backend exchange_https_activesync_backend if path_activesync
use_backend exchange_https_oa_backend if path_oa
use_backend exchange_https_autodiscover_backend if path_autodiscover
use_backend exchange_https_ps_backend if path_ps
use_backend exchange_https_oab_backend if path_oab
###use_backend exchange_https_mapi if path_mapi
# other services go here
default_backend exchange_https_default_backend
#---------------------------------------------------------------------
# Exchange HTTPS Backends
#---------------------------------------------------------------------
# Outlook Web Access (OWA):
backend exchange_https_owa_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /owa/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Exchange Control Panel (ECP):
backend exchange_https_ecp_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /ECP/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Exchange Web Services (EWS):
backend exchange_https_ews_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /EWS/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Exchange Active Sync (EAS):
backend exchange_https_activesync_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Outlook Anywhere (OA):
backend exchange_https_oa_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /RPC/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Autodiscover (AU):
backend exchange_https_autodiscover_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /Autodiscover/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# PowerShell (PS):
backend exchange_https_ps_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Offline Address Book (OAB):
backend exchange_https_oab_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /OAB/HealthCheck.htm
http-check expect string 200\ OK
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
# Exchange Default Backend:
backend exchange_https_default_backend
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check
server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check
server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check
server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check
#---------------------------------------------------------------------
# Exchange SMTP Settings
#---------------------------------------------------------------------
listen smtp25 *:25
mode tcp
option tcplog
balance leastconn
option tcp-check
tcp-check expect string 220
default-server inter 3s rise 2 fall 3
server server151 192.168.5.151:25 check
server server152 192.168.5.152:25 check
server server153 192.168.5.153:25 check
server server154 192.168.5.154:25 check
listen smtp587 *:587
mode tcp
option tcplog
balance leastconn
option tcp-check
tcp-check expect string 220
default-server inter 3s rise 2 fall 3
server server151 192.168.5.151:587 check
server server152 192.168.5.152:587 check
server server153 192.168.5.153:587 check
server server154 192.168.5.154:587 check
#---------------------------------------------------------------------
# HAProxy stats page:
#---------------------------------------------------------------------
listen stats :9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:mypassword