I am having similar problems as discussed here[1]. I guess the htx cannot be disabled anymore in 2.2? (although a reload does not say anything about it being deprecated)
Most of the mapi requests are 200
These urls are giving 401
POST /EWS/Exchange.asmx
Here it looks like outlook keeps trying and eventually succeeds
.
0/0/2/5/7 401 247 - - --VN 20/9/5/4/0 0/0 "HEAD /OAB/cd520fd1-051d- 4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
0/0/0/2/2 401 247 - - --VN 20/9/5/4/0 0/0 "HEAD /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
0/0/0/1/1 401 508 - - --VN 20/9/6/5/0 0/0 "HEAD /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
0/0/0/97/97 200 648 - - --VN 20/9/6/5/0 0/0 "HEAD /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
0/0/0/26/26 200 23849 - - --VN 20/9/6/5/0 0/0 "GET /OAB/cd520fd1-051d-4d82-b235-70504e60db7b/oab.xml HTTP/1.1"
.
Here someone is writing it can be due to the headers. How can I have haproxy log these 401 headers to syslog or so?
I have put this in the frontend, yet 200 are still logged.
http-request set-log-level silent if { status 200 }
[1]
opened 02:40PM - 24 Mar 20 UTC
closed 10:28AM - 03 Dec 21 UTC
type: bug
status: feedback required
Hello Everyone,
We have issue with Haproxy since version 2.0.0 on Ubuntu Xeni… al (try with Bionic also). We use package from this source (https://haproxy.debian.net/).
Since 2.0.0-1 package (try with 2.0.10-1 until 2.1.13-1) outlook 2013, 2016 connectivity (Mapi over HTTP) doesn't work any more. We use Exchange 2016 with last update.
Here is the resultat of haproxy --v
```
HA-Proxy version 2.0.13-1ppa1~xenial 2020/02/15 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services :
prometheus-exporter
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
```
With use this backend (for the mapi part)
```
backend bk_Exchange2016_servename_mapi
mode http
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
cookie ALBWA insert indirect nocache
timeout server 600s
server SERVERNAME X.X.X.X:443 ssl check
```
When Outlook try to connect, we can observe in haproxy.log :
```
Mar 24 15:33:34 localhost haproxy[10109]: X.X.X.X:51959 [24/Mar/2020:15:33:34.617] Web~ bk_Exchange2016_servenamemapi/SERVERNAME 43/0/0/3/+46 401 +728 - - --NI 177/8/1/1/0 0/0 {|Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4|servername.fr {TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/servername.fr //C=US/O=xxxx Inc/OU=xxx/CN=xxx RSA CA XXXX/} "POST /mapi/nspi/?MailboxId=6ba0e895-0c9b-40e7-be3a-e6cf85f3d44a@servername.fr HTTP/1.1"
```
If we downgrade in 1.9.14 version no problem, outlook connects correctly. We see in this case "NI" in log.
Thank you in advance for your help.
I’ve been working on setting up HAProxy as a Layer 7 NLB for our Microsoft Exchange 2016 cluster to replace a DNS round-robin (for internal) + firewall random DNAT (external) configuration.
Using CentOS 7, I opted to install the latest available RPM version from the IUS yum repository, which turned out to be HAProxy version 2.07.
Relying on a number of different HOWTO and blog articles, I created a configuration which seemed to be well supported (though based on pre-2.0 versions of HAProxy), …
[2]
opened 02:40PM - 24 Mar 20 UTC
closed 10:28AM - 03 Dec 21 UTC
type: bug
status: feedback required
Hello Everyone,
We have issue with Haproxy since version 2.0.0 on Ubuntu Xeni… al (try with Bionic also). We use package from this source (https://haproxy.debian.net/).
Since 2.0.0-1 package (try with 2.0.10-1 until 2.1.13-1) outlook 2013, 2016 connectivity (Mapi over HTTP) doesn't work any more. We use Exchange 2016 with last update.
Here is the resultat of haproxy --v
```
HA-Proxy version 2.0.13-1ppa1~xenial 2020/02/15 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services :
prometheus-exporter
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
```
With use this backend (for the mapi part)
```
backend bk_Exchange2016_servename_mapi
mode http
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
option forwardfor
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
cookie ALBWA insert indirect nocache
timeout server 600s
server SERVERNAME X.X.X.X:443 ssl check
```
When Outlook try to connect, we can observe in haproxy.log :
```
Mar 24 15:33:34 localhost haproxy[10109]: X.X.X.X:51959 [24/Mar/2020:15:33:34.617] Web~ bk_Exchange2016_servenamemapi/SERVERNAME 43/0/0/3/+46 401 +728 - - --NI 177/8/1/1/0 0/0 {|Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4|servername.fr {TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256/servername.fr //C=US/O=xxxx Inc/OU=xxx/CN=xxx RSA CA XXXX/} "POST /mapi/nspi/?MailboxId=6ba0e895-0c9b-40e7-be3a-e6cf85f3d44a@servername.fr HTTP/1.1"
```
If we downgrade in 1.9.14 version no problem, outlook connects correctly. We see in this case "NI" in log.
Thank you in advance for your help.