Config Critique for Exchange 2010


#1

Hi all, new to haproxy and I’m trying to setup a box to proxy traffic from the internet to our internal Exchange server.

Ideally we simply want to check the FQDN being used in the request is valid, check the path is valid for Exchange services, and decrypt, check, and pass “clean” requests to the backend server using SSL.

Any other requests should just bump to our corporate website.

Are there any glaring issues with the config below please? It appears to work but at our small size it’s tricky to test with a real-world load.

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048
    maxconn 5000

defaults
    log     global
    maxconn 5000
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen stats x.x.x.x:4711
    mode http
    stats enable
    stats hide-version
    stats uri /

frontend webmail_frontend
    bind x.x.x.x:443 ssl crt /etc/ssl/certs/webmail.pem
    mode http
    acl webmail_paths path_beg -i /autodiscover/ /ecp/ /ews/ /exchange/ /exchweb/ /microsoft-server-activesync/ /oab/ /owa/ /public/ /rpc/ /rpcwithcert/
    acl webmail_hosts hdr_dom(Host) -i a.b.c.d
    use_backend webmail_backend if webmail_paths webmail_hosts
    default_backend webmail_redirect

backend webmail_backend
    mode http
    option ssl-hello-chk
    option tcp-check
    option http-keep-alive
    balance roundrobin
    stick-table type ip size 20k expire 15m
    stick on src
    timeout server 10m
    server webmail a.b.c.d x.x.x.x:443 ssl verify none weight 1 check port 443 inter 5000 rise 2 fall 3

backend webmail_redirect
    mode http
    redirect location http://www.corp