Logging headers of haproxy 2.2 + exchange 2016 + 401 POST /mapi /EWS

f1outsourcing · February 24, 2021, 12:54pm

I am having similar problems as discussed here[1]. I guess the htx cannot be disabled anymore in 2.2? (although a reload does not say anything about it being deprecated)

Most of the mapi requests are 200

These urls are giving 401
POST /EWS/Exchange.asmx

Here it looks like outlook keeps trying and eventually succeeds

.
     0/0/2/5/7 401 247 - - --VN 20/9/5/4/0 0/0 "HEAD /OAB/cd520fd1-051d-    4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
     0/0/0/2/2 401 247 - - --VN 20/9/5/4/0 0/0 "HEAD /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
     0/0/0/1/1 401 508 - - --VN 20/9/6/5/0 0/0 "HEAD /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
     0/0/0/97/97 200 648 - - --VN 20/9/6/5/0 0/0 "HEAD /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
     0/0/0/26/26 200 23849 - - --VN 20/9/6/5/0 0/0 "GET /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
.

Here someone is writing it can be due to the headers. How can I have haproxy log these 401 headers to syslog or so?

I have put this in the frontend, yet 200 are still logged.
http-request set-log-level silent if { status 200 }

[1]

github.com/haproxy/haproxy

Backend Exchange 2016 MAPI connection failed

opened 02:40PM - 24 Mar 20 UTC

closed 10:28AM - 03 Dec 21 UTC

Neneow

type: bug status: feedback required

Hello Everyone, We have issue with Haproxy since version 2.0.0 on Ubuntu Xeni…al (try with Bionic also). We use package from this source (https://haproxy.debian.net/). Since 2.0.0-1 package (try with 2.0.10-1 until 2.1.13-1) outlook 2013, 2016 connectivity (Mapi over HTTP) doesn't work any more. We use Exchange 2016 with last update. Here is the resultat of haproxy --v ``` HA-Proxy version 2.0.13-1ppa1~xenial 2020/02/15 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 Built with Lua version : Lua 5.3.1 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE2 version : 10.21 2016-01-12 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ``` With use this backend (for the mapi part) ``` backend bk_Exchange2016_servename_mapi mode http option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /mapi/HealthCheck.htm http-check expect string 200\ OK cookie ALBWA insert indirect nocache timeout server 600s server SERVERNAME X.X.X.X:443 ssl check ``` When Outlook try to connect, we can observe in haproxy.log : ``` Mar 24 15:33:34 localhost haproxy[10109]: X.X.X.X:51959 [24/Mar/2020:15:33:34.617] Web~ bk_Exchange2016_servenamemapi/SERVERNAME 43/0/0/3/+46 401 +728 - - --NI 177/8/1/1/0 0/0 {|Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4|servername.fr {TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/servername.fr //C=US/O=xxxx Inc/OU=xxx/CN=xxx RSA CA XXXX/} "POST /mapi/nspi/?MailboxId=6ba0e895-0c9b-40e7-be3a-e6cf85f3d44a@servername.fr HTTP/1.1" ``` If we downgrade in 1.9.14 version no problem, outlook connects correctly. We see in this case "NI" in log. Thank you in advance for your help.

[2]

github.com/haproxy/haproxy

Backend Exchange 2016 MAPI connection failed

opened 02:40PM - 24 Mar 20 UTC

closed 10:28AM - 03 Dec 21 UTC

Neneow

type: bug status: feedback required

Hello Everyone, We have issue with Haproxy since version 2.0.0 on Ubuntu Xeni…al (try with Bionic also). We use package from this source (https://haproxy.debian.net/). Since 2.0.0-1 package (try with 2.0.10-1 until 2.1.13-1) outlook 2013, 2016 connectivity (Mapi over HTTP) doesn't work any more. We use Exchange 2016 with last update. Here is the resultat of haproxy --v ``` HA-Proxy version 2.0.13-1ppa1~xenial 2020/02/15 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 Built with Lua version : Lua 5.3.1 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE2 version : 10.21 2016-01-12 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ``` With use this backend (for the mapi part) ``` backend bk_Exchange2016_servename_mapi mode http option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /mapi/HealthCheck.htm http-check expect string 200\ OK cookie ALBWA insert indirect nocache timeout server 600s server SERVERNAME X.X.X.X:443 ssl check ``` When Outlook try to connect, we can observe in haproxy.log : ``` Mar 24 15:33:34 localhost haproxy[10109]: X.X.X.X:51959 [24/Mar/2020:15:33:34.617] Web~ bk_Exchange2016_servenamemapi/SERVERNAME 43/0/0/3/+46 401 +728 - - --NI 177/8/1/1/0 0/0 {|Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4|servername.fr {TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/servername.fr //C=US/O=xxxx Inc/OU=xxx/CN=xxx RSA CA XXXX/} "POST /mapi/nspi/?MailboxId=6ba0e895-0c9b-40e7-be3a-e6cf85f3d44a@servername.fr HTTP/1.1" ``` If we downgrade in 1.9.14 version no problem, outlook connects correctly. We see in this case "NI" in log. Thank you in advance for your help.

Topic		Replies	Views
HAProxy httpcheck strange behavior Help!	9	1838	December 19, 2022
2.8.x to 2.9 Sudden 411 issues Help!	5	740	December 18, 2023
Can HAProxy version 2.4 work well for Exchange 2019 in 2024? Help!	1	744	April 25, 2024
HAProxy 2.07 problems with Exchange Server 2016 and Outlook Help!	11	7505	September 24, 2020
Massive surge in PR-- terminations with status code -1 after enabling frontend H2 Help!	3	596	July 28, 2021

Logging headers of haproxy 2.2 + exchange 2016 + 401 POST /mapi /EWS

Related topics