HTTPS frontend for exchange and other services

Hi

I want to setup HAproxy with HTTPS frontend SSL offload and use SNI for different subdomains. But i have one problem. First request from web browser is forwarded to proper backend but when i reload website i get every time only MS Exchange backend even for other subdomains . Any idea thanks ?

HAproxy version: 2.3 (Debian)
HAproxy-wi: 5.1.2.0

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket 127.0.0.1:1999 level admin 
	stats socket /var/run/haproxy.sock mode 600 level admin
	server-state-file /etc/haproxy/haproxy.state
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets


defaults
	load-server-state-from-file global
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen stats 
    bind 127.0.0.1:8085
    stats enable
    stats uri /stats
    stats realm HAProxy-04\ Statistics
    stats auth admin:pass
    stats admin if TRUE


frontend https_haproxy
    bind 192.168.0.141:443 
    mode tcp
    maxconn 2000
    option tcplog
	tcp-request inspect-delay 10s
	tcp-request content accept if { req_ssl_hello_type 1 }
# GeoIP & IP filtering
	acl acl_DE src -f /etc/haproxy/geoip/DE.subnets
	acl acl_SK src -f /etc/haproxy/geoip/SK.subnets 
	acl acl_local src -f /etc/haproxy/geoip/local.subnets
# server01 configuration
	acl acl_server1 req_ssl_sni -i server1.domain.com
	use_backend https_server01 if acl_server1
# server02 configuration
	acl acl_server2 req_ssl_sni -i server2.domain.com
	use_backend https_server02 if acl_server2
	

backend https_server02
    mode tcp
    option tcplog 
    option ssl-hello-chk
    server 192.168.0.133 192.168.0.133:443


backend https_server01
    mode tcp
    option ssl-hello-chk
    option tcplog 
    server 192.168.0.84 192.168.0.84:443  

This doesn’t appear to be your whole config?

Which is the exchange server? If connections are going to the other service, do they stay persistent there? What are you doing with the three geographic acls:

        acl acl_DE src -f /etc/haproxy/geoip/DE.subnets
	acl acl_SK src -f /etc/haproxy/geoip/SK.subnets 
	acl acl_local src -f /etc/haproxy/geoip/local.subnets
?

How your web servers on the backend handle the SNIs -- are they using canonical names?

Most likely you have overlapping certificates on your backend servers (wildcard certificate *.domain.com or multiple SAN matching both server1.domain.com and server2.domain.com), this will NOT work correctly.

Use distinct and dedicated, non-overlapping certificate or terminate SSL on haproxy and look at the Host header instead.

Also see:

yup. I use wildcard. Very thanks for help.