Greetings,
I’m using HAproxy for y Exchange servers. Outlook clients are working generally fine, but we have 3rd party application that sends a lot of emails. And here is a thing. Once a day this application looses the ability to communicate with Exchange servers through HAproxy. If I restart the Haproxy daemon it works fine until the very next day. I’m a bit lost and do not know where to start looking. Could you please anvice me on this matter?
Config
global
log 127.0.0.1 local2 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
defaults
log global
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
#option tcplog
option redispatch
option http-keep-alive
option log-health-checks
#option dontlognull
#option dontlog-normal
no option httpclose
retries 3
backlog 10000
balance leastconn
timeout connect 15s
timeout http-keep-alive 30s
timeout http-request 30s
timeout queue 30s
timeout tarpit 60s
timeout check 10s
timeout client 15m
timeout server 15m
default-server inter 5s rise 2 fall 3
frontend haproxy_stats_frt
bind <private ip>.7:8080
mode http
acl is_internal src <private ip>.0/24
stats enable
stats refresh 10s
stats show-node
stats auth admin:<password>
stats uri /stats
stats admin if is_internal
frontend web_http_frt
bind <private ip>.7:80
mode http
option forwardfor except 127.0.0.0/8
option httplog
acl is_haproxy hdr(host) -m str -i haproxy1.<private domain>
acl is_ca_web hdr(host) -m str -i ca.<private domain>
acl is_empty_query query -m found
acl is_ecp path -m reg -i (^\/ecp$|^\/ecp\/)
acl is_healthcheck path -m reg -i healthcheck\.htm$
http-request deny if is_ecp
http-request deny if is_healthcheck
http-request redirect location https://%[hdr(host)]%[path] code 301 if !is_ca_web !is_empty_query !is_haproxy
http-request redirect location https://%[hdr(host)]%[path]?%[query] code 301 if !is_ca_web is_empty_query !is_haproxy
use_backend ca_web if is_ca_web
frontend web_https_frt
bind <private ip>.7:443 ssl crt-list /etc/haproxy/cer.list
mode http
option forwardfor except 127.0.0.0/8
option httplog
capture cookie SERVERID len 32
capture request header Host len 64
capture request header User-agent len 64
capture request header X-Forwarded-For len 64
capture request header WWW-Authenticate len 64
capture request header Authorization len 64
capture response header Location len 32
capture response header Server len 32
acl is_ca_web hdr(host) -m str -i ca.<private domain>
acl is_autodiscover_host hdr(host) -m reg -i ^autodiscover.<private domain>$
acl is_mail hdr(host) -m reg -i (^mail.<private domain>$|^mail1.<private domain>$)
acl is_empty_path path -m reg -i (^\/$|^$)
acl is_rpc path -m reg -i (^\/rpc$|^\/rpc\/)
acl is_owa path -m reg -i (^\/owa$|^\/owa\/)
acl is_ews path -m reg -i (^\/ews$|^\/ews\/)
acl is_oab path -m reg -i (^\/oab$|^\/oab\/)
acl is_eas path -m reg -i (^\/eas$|^\/eas\/)
acl is_mapi path -m reg -i (^\/mapi$|^\/mapi\/)
acl is_ecp path -m reg -i (^\/ecp$|^\/ecp\/)
acl is_autodiscover_url path -m reg -i ^\/Autodiscover\/
acl is_activesync path -m reg -i (^\/Microsoft\-Server\-ActiveSync$|^\/Microsoft\-Server\-ActiveSync\/)
acl is_healthcheck path -m reg -i healthcheck.htm$
http-request deny if is_ecp
http-request deny if is_healthcheck
http-request redirect location http://ca.<private domain>%[path] code 301 if is_ca_web
use_backend autodiscover_bck if is_autodiscover_host
use_backend rpc_bck if is_rpc
use_backend owa_bck if is_owa
use_backend ews_bck if is_ews
use_backend oab_bck if is_oab
use_backend eas_bck if is_eas
use_backend mapi_bck if is_mapi
use_backend owa_bck if is_mail is_empty_path
use_backend activesync_bck if is_activesync
frontend mail_frt
mode tcp
option tcplog
bind <private ip>.7:25
bind <private ip>.7:110
bind <private ip>.7:143
bind <private ip>.7:587
bind <private ip>.7:993
bind <private ip>.7:995
acl is_pop dst_port 110
acl is_imap dst_port 143
acl is_smtps dst_port 587
acl is_imaps dst_port 993
acl is_pops dst_port 995
use_backend smtps_bck if is_smtps
use_backend imap_bck if is_imap
use_backend pop_bck if is_pop
use_backend imaps_bck if is_imaps
use_backend pops_bck if is_pops
default_backend smtp_bck
backend smtps_bck
mode tcp
option tcp-check
tcp-check connect port 587
tcp-check expect string 220
server ex1 ex1.<private domain>:587 check
server ex2 ex2.<private domain>:587 check
backend imap_bck
mode tcp
option tcp-check
tcp-check connect port 143
tcp-check expect string * OK
server ex1 ex1.<private domain>:143 check
server ex2 ex2.<private domain>:143 check
backend pop_bck
mode tcp
option tcp-check
tcp-check connect port 110
tcp-check expect string +OK
server ex1 ex1.<private domain>:110 check
server ex2 ex2.<private domain>:110 check
backend imaps_bck
mode tcp
option tcp-check
tcp-check connect port 993 ssl
tcp-check expect string * OK
server ex1 ex1.<private domain>:993 check verify none
server ex2 ex2.<private domain>:993 check verify none
backend pops_bck
mode tcp
option tcp-check
tcp-check connect port 995 ssl
tcp-check expect string +OK
server ex1 ex1.<private domain>:995 check verify none
server ex2 ex2.<private domain>:995 check verify none
backend smtp_bck
mode tcp
option tcp-check
tcp-check expect string 220
server ex1 ex1.<private domain>:25 check
server ex2 ex2.<private domain>:25 check
backend owa_bck
mode http
option httpchk GET /OWA/HealthCheck.htm
http-check expect status 200
server ex1 ex1.<private domain>:443 ssl check verify none
server ex2 ex2.<private domain>:443 ssl check verify none
backend autodiscover_bck
mode http
option httpchk GET /autodiscover/HealthCheck.htm
http-check expect status 200
server ex1 ex1.<private domain>:443 ssl check verify none
server ex2 ex2.<private domain>:443 ssl check verify none
backend rpc_bck
mode http
option httpchk GET /RPC/HealthCheck.htm
http-check expect status 200
cookie SERVERID insert nocache
server ex1 ex1.<private domain>:443 ssl check verify none cookie rpc1
server ex2 ex2.<private domain>:443 ssl check verify none cookie rpc2
backend ews_bck
mode http
option httpchk GET /EWS/HealthCheck.htm
http-check expect status 200
cookie SERVERID insert nocache
server ex1 ex1.<private domain>:443 ssl check verify none cookie ews1
server ex2 ex2.<private domain>:443 ssl check verify none cookie ews2
backend eas_bck
mode http
option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
http-check expect status 200
server ex1 ex1.<private domain>:443 ssl check verify none
server ex2 ex2.<private domain>:443 ssl check verify none
backend mapi_bck
mode http
option httpchk GET /mapi/HealthCheck.htm
http-check expect status 200
cookie SERVERID insert nocache
server ex1 ex1.<private domain>:443 ssl check verify none id 103 cookie mapi1
server ex2 ex2.<private domain>:443 ssl check verify none id 104 cookie mapi2
backend oab_bck
mode http
option httpchk GET /OAB/HealthCheck.htm
http-check expect status 200
server ex1 ex1.<private domain>:443 ssl check verify none
server ex2 ex2.<private domain>:443 ssl check verify none
backend activesync_bck
mode http
option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
http-check expect status 200
server ex1 ex1.<private domain>:443 ssl check verify none
server ex2 ex2.<private domain>:443 ssl check verify none
backend ca_web
mode http
http-check expect string CRPT\ CA\ Info
server web1 web1.<private domain>:80 check