HTTPS frontend for exchange and other services


I want to setup HAproxy with HTTPS frontend SSL offload and use SNI for different subdomains. But i have one problem. First request from web browser is forwarded to proper backend but when i reload website i get every time only MS Exchange backend even for other subdomains . Any idea thanks ?

HAproxy version: 2.3 (Debian)

	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket level admin 
	stats socket /var/run/haproxy.sock mode 600 level admin
	server-state-file /etc/haproxy/haproxy.state
	stats timeout 30s
	user haproxy
	group haproxy

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See:
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

	load-server-state-from-file global
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen stats 
    stats enable
    stats uri /stats
    stats realm HAProxy-04\ Statistics
    stats auth admin:pass
    stats admin if TRUE

frontend https_haproxy
    mode tcp
    maxconn 2000
    option tcplog
	tcp-request inspect-delay 10s
	tcp-request content accept if { req_ssl_hello_type 1 }
# GeoIP & IP filtering
	acl acl_DE src -f /etc/haproxy/geoip/DE.subnets
	acl acl_SK src -f /etc/haproxy/geoip/SK.subnets 
	acl acl_local src -f /etc/haproxy/geoip/local.subnets
# server01 configuration
	acl acl_server1 req_ssl_sni -i
	use_backend https_server01 if acl_server1
# server02 configuration
	acl acl_server2 req_ssl_sni -i
	use_backend https_server02 if acl_server2

backend https_server02
    mode tcp
    option tcplog 
    option ssl-hello-chk

backend https_server01
    mode tcp
    option ssl-hello-chk
    option tcplog 

This doesn’t appear to be your whole config?

Which is the exchange server? If connections are going to the other service, do they stay persistent there? What are you doing with the three geographic acls:

        acl acl_DE src -f /etc/haproxy/geoip/DE.subnets
	acl acl_SK src -f /etc/haproxy/geoip/SK.subnets 
	acl acl_local src -f /etc/haproxy/geoip/local.subnets

How your web servers on the backend handle the SNIs -- are they using canonical names?

Most likely you have overlapping certificates on your backend servers (wildcard certificate * or multiple SAN matching both and, this will NOT work correctly.

Use distinct and dedicated, non-overlapping certificate or terminate SSL on haproxy and look at the Host header instead.

Also see:

yup. I use wildcard. :slight_smile: Very thanks for help.