Hi, our organization is planning to use HA proxy as a reverse proxy for a SharePoint site which will be available externally for all users on the internet. I understand it involves installation of HA proxy on a linux box, can someone please help me with the installation steps ? what other configuration will be needed for this ?
Hi Vinod,
Below are the steps to be followed to install and configure haproxy as a reverse proxy for a sharepoint website. Please note the configuration details provided are based on below assumptions.
Assumptions:
- The SharePoint site is hosted on two servers st1.example.com and st2.example.com.
- The haproxy server is ha.example.com.
- The Linux flavor used is CentOS 7.
Installation:
- Edit /etc/hosts file to make hostnames resolve-able.
vi /etc/hosts
xxx.xxx.xxx.xxx st1.exaple.com st1
xxx.xxx.xxx.xxx st2.example.com st2
xxx.xxx.xxx.xxx ha.example.com ha
Please note xxx.xxx.xxx.xxx is used here for the purpose of representation. Please replace the same with actual IP addresses provided to the respective host in your organisation.
- For general usage, it is also recommended to add a new user for HAProxy to be run under.
useradd –r haproxy
- Install haproxy
yum -y update
yum -y install haproxy
Configuration:
- Edit HAProxy configuration file, /etc/haproxy/haproxy.cfg to configure haproxy to listen to client request on port 80 of ha.example.com and forward it to the backend SharePoint servers
global
maxconn 4096
user haproxy
group haproxy
daemondefaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000frontend http_fe
bind ha.example.com:80
default_backend sharepointbackend sharepoint
balance roundrobin
option redispatch
cookie SERVERID insert nocache
server st1 xxx.xxx.xxx.xxx:80 cookie stcookie01 weight 30 check
server st2 xxx.xxx.xxx.xxx:80 cookie stcookie02 weight 30 check
- Configure rsyslog daemon to enable logging in haproxy
vi /etc/rsyslog.d/haproxy.conf
$ModLoad imudp
$UDPServerRun 514
$template Haproxy,“%msg%\n”
local0.* -/var/log/haproxy/haproxy.log;Haproxy
local0.* ~
- Restart rsyslog service followed by haproxy service to bring the changes in effect.
systemctl restart rsyslog.service
systemctl restart haproxy.service
If all the steps above are successfully performed, you should be able to access sharepoint application on http://ha.example.com:80 and verify the logs for the same in /var/log/haproxy/haproxy.log
If you wish to handle SSL/TLS requests at haproxy you need to perform some additional steps. Please let me know if you require those and I will be happy to help you with those too.
Hope this is helpful !
Thanks
Hi Shiv , Thanks for the help…
Yes, the site is a SSL site and will be hosted on only one sharepoint server and will be using the default SSL port 443.Here’s the architecture that we are planning to implement. Can you please let me know the steps for SSL ?
Hi Vinod,
Since you mentioned that the site is SSL enabled, therefore I presume that you have the required SSL certificate purchased from a certifying authority. Once you get your certificates, you would have with you a .crt file containing the public certificate and a .key file containing the server key. The preferred way of HAProxy to read an SSL certificate is in .pem format. Therefore you need to concatenate both the certificate and the key to create a .pem file, as shown below:.
cat hacert.crt hak.key > /etc/ssl/certs/hapcert.pem
Refer to following link for further details on certificate formats: certificate - What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? - Server Fault
HAProxy being a proxy, maintains two different connections: a connection between the Client and HAProxy and a connection between the Server and HAProxy. For both these connections HAProxy can use different protocols thereby allowing for below possible designs:
- SSL/TLS Pass-through : In this case, HAProxy doesn’t handle SSL and the encrypted requests from the client are simply forwarded to the backend servers to handle.
- SSL/TLS Termination: In this case, HAProxy deciphers the encrypted request from the client and forwards the decrypted request to the backend server.
- SSL/TLS Bridging: In this case, HAProxy decrypts the request received from the client and encrypts it again while forwarding it to the backend server.
- SSL/TLS Encryption: In this case, HAProxy receives the request from the client side on non-SSL connection and uses SSL to get connected on the server side.
As stated in your requirement, you wish to expose sharepoint on default SSL port 443. Therefore below is the configuration for possible implementation designs:
For HAProxy to be used in SSL/TLS Bridging design.
global
maxconn 4096
user haproxy
group haproxy
daemon
ssl-server-verify nonedefaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000frontend http_fe
mode http
bind ha.example.com:443 ssl crt /etc/ssl/certs/hapcert.pem
reqadd X-Forwarded-Proto:\ https
default_backend sharepointbackend sharepoint
mode http
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:443 check ssl cookie stcookie01
option http-server-close
For SSL/TLS Termination design you simply need to change below line:
server st1 xxx.xxx.xxx.xxx:80 check ssl cookie stcookie01
For SSL/TLS Pass-Through design you need to change below lines:
frontend http_fe
mode tcp
bind ha.example.com:443 ## Please note here we simply do not provide the SSL certificate as encrypted request from client is not to be deciphered.backend sharepoint
mode tcp
server st1 xxx.xxx.xxx.xxx:443
Hope this is helpful !
1 Like
I will try these steps and will let you know how it went.Thank you very much !
Hi Shiv,
What will be the steps for SSL/TLS Termination ? We plan to install certs only on external load balancer.
Hi Vinod,
Steps would remain the same as mentioned in my previous post. The SSL certs you wish to install on the haproxy server are to be placed in /etc/ssl/certs/ directory in .pem format. After this, you would simply have to use below configuration in haproxy.cfg file followed by haproxy.service restart to successfully implement SSL/TLS termination.
global
maxconn 4096
user haproxy
group haproxy
daemon
ssl-server-verify nonedefaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000frontend http_fe
mode http
bind ha.example.com:443 ssl crt /etc/ssl/certs/hapcert.pem
reqadd X-Forwarded-Proto:\ https
default_backend sharepointbackend sharepoint
mode http
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server st1 xxx.xxx.xxx.xxx:80 check cookie stcookie01
option http-server-close
Hope this is helpful !
Hi, I cant see to find the file haproxy.cfg under etc folder, how do I find this file ? does this file exist under one particular user which we installed HA proxy with ?
also we are getting 503 service unavailable when browsing the site externally. this is the error , Server “sharepoint/haproxy server name” is DOWN, reason: Layer4 timeout, check duration: 2000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
backend sharepoint has no server available!
Hi Vinod,
Below are the answers to your queries:
The existence of haproxy configuration file depends on the method used for the installation. If you have installed HAProxy using Yum command, then the file, haproxy.cfg, should be auto created in /etc/haproxy/ directory. However, if you have built HAProxy from source then you need to manually create the haproxy.cfg file in /etc/haproxy/ directory. In the later case, the content of the configuration file can be referenced from haproxy.cfg file provided in path_to_haproxy_tar_file/examples/ directory.
The “Layer 4 timeout error” is thrown when HAProxy is unable to establish a TCP connection with the backend server on the designated port within the duration specified by the timeout connect parameter. In order to further debug the cause of the error, you should try following below mentioned steps:
- Check if you can ping the backend sharepoint machine from the haproxy machine and vice versa?
$ ping <servername>
- Check if you can connect to the backend sharepoint server on the designated port from haproxy machine and vice-versa using telnet?
$ telnet <servername> <port>
If any of the above two checks fail, then proceed to below steps:
- Check if firewalld.service is active. If yes, then check if connection to the designated port is allowed through the firewall.
$ systemctl status firewalld.service $ firewall-cmd list-all
- Check the selinux mode. Try disabling selinux, if it is in enforcing or permissive mode.
$ getenforce $ vi /etc/selinux/config
- Check if iptables.service is active. If yes, then ensure the connection to the sharepoint server IP is not blocked by a REJECT or DROP rule.
$ systemctl status iptables.service $ iptables --list
- Check if the designated ports are open.
$ netstat --listen
If none of the checks mentioned in point 1 and 2 fail, then you might want to tune the value set for timeout connect property in haproxy.cfg file. If value set for timeout connect parameter is too low, it might cause the connection to timeout before receiving the completion of the handshake between the HAProxy and the backend server.
Please note: The checks mentioned in above steps are recommended to be performed from both HAProxy and SharePoint machine to ensure that connection can be established successfully from both the directions.
Hope this is helpful !
Thanks,
Shivharsh
Hi Shiv… Thanks a lot for the responses… I was able to do this successfully. Your instructions were really helpful…
One thing we noticed is , even though we type https://abc.com for some reason, it’s getting redirected to http://abc.com and then it fails to load. How can I avouid this ? I think this is coming from HA proxy as on external load balancer VIP we dont have any of this redirection defined. Thoughts ?
Nevermind, we were able to resolve of the issues and the site is working now. Thanks for your help on this !
Hi vinod,
What did you do to resolve the redirect problem?
Can you share the working configuration?
Thanks
Hi , I am out of office right now til 10/1. Sorry I don’t have access to a computer to share the configuration.
Hi, I want to ask something about the part with backend:
I’m trying to configure backends with ssl:
server app1 xxx.xxx.xxx.xxx:443 check ssl cookie app1cookie01
server app2 xxx.xxx.xxx.xxx:443 check ssl cookie app2cookie02
What should be configured for cookie when the server name is app1 (i wrote app1cookie01 and app2cookie02 but I’m not sure at 100% )?
Thank you in advance for your support.
The cookie name just has to be unique. It can be just app1 in this case.
Thanks for your support.
Now I have a question about the cookie persistent.
My backend looks as below:
backend app
mode http
balance roundrobin
option redispatch
cookie SERVERID insert indirect nocache
server app1 xxx.xxx.xxx.xxx:443 check ssl cookie app1
server app2 xxx.xxx.xxx.xxx:443 check ssl cookie app2
option http-server-close
Backends are MS Exchange 2010 - is it okey to use SERVERID for cookie persistence?
I don’t have personal experience with exchange, I suggest you take a look at these blog posts:
https://www.haproxy.com/documentation/haproxy/deployment-guides/exchange-2010/
Also, please open a new thread if you have other questions, this does not belong here, thanks.