Hello,

First of all i need to inform that im fairly new to HA Proxy, and is no master at it

The HA proxy setup consists of 2 nodes, running HA Proxy and Keepalived with at floating IP.

Node01: 192.168.62.98
Node02: 192.168.62.99
Floating: Node01: 192.168.62.100
Exchange Server: 192.168.60.86
V-Center: 192.168.61.100 (VESXI.DOMAIN.COM)

We have 1 public IP adress, and want to use port 443 for several purposes (Exchange, VMware, RDS Gateway, etc…)

About a month ago we moved the Exchange HTTPS to go through the HA Proxy setup, and it worked like a charm! When we tried moving the V-Center server to also go through the V-Center, we realized that when trying to access the V-Center server on a hostname, we were redirected to the Exchange OWA.

Im 100% sure that its a configuration failure at our end, and im pretty sure its because of the frontend setup in the haproxy.cfg
Im sorry to have to disturb regarding this, but i cant figure out how to solve it.

Note - the domain have been replaced with domain.com for security reasons.

Config::::

###################################################################################################

FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND

###################################################################################################

frontend Exchange_WWW_Frontend
mode tcp
bind 192.168.62.100:443
default_backend BCK_Exchange_HTTPS
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend BCK_RDS_HTTPS if { req_ssl_sni -i remote.domain.com }
use_backend BCK_OWNCLOUD_HTTPS if { req_ssl_sni -i oc.domain.com }
use_backend BCK_APP_HTTPS if { req_ssl_sni -i vmm.domain.com }
use_backend BCK_VCENTER_WEB if { req_ssl_sni -i vesxi.domain.com }
option tcp-smart-accept

###################################################################################################

BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND

###################################################################################################

backend BCK_Exchange_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1EXCH02 192.168.60.86:443 check #ssl verify none

backend BCK_RDS_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1TSGW02 192.168.62.80:443 check #ssl verify none

backend BCK_OWNCLOUD_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1OC02 192.168.60.87:443 check #ssl verify none

backend BCK_APP_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1APP01 192.168.62.81:443 check #ssl verify none

backend BCK_VCENTER_WEB
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1VC01 192.168.61.100:443 check #ssl verify none

Thanks in advance

Are you positive your browser accesses those exact hostnames (e.g. https://vesxi.domain.com/), not the IP address and that your browser support sending SNI (no IE6 or Windows XP)?

I would put the default_backend directive after the use_backend setting, because the “default” backend should be definited last, just for readability. I don’t think its required though.

Hello,

Thank you for your repluy

Im positive that they / i access it through a hostname - and using the latest browsers (Chrome, Firefox, Edge - all updated).

Ive tried to move the default backend after i posted this, and before you replied - but it did nothing good

Can you provide the output of haproxy -vv? Also, I suggest you tcpdump the SSL handshake on the haproxy box, to see if the client_hello really contains the server name. I don’t see anything wrong with the configuration itself.

Hello Lukas,

Thanks again for taking the time, to trying to resolve this issue

HAproxy -vv

HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Im not sure how to perform a TCP dump of the SSL handshake… could you please provide me with an method to achieve this?

On the haproxy box, start the trace:
tcpdump -pns0 -w ssltrace.cap -i eth0 host 192.168.62.100 and tcp port 443

Then open your browser and go to the HTTPS site to generate traffic.

Stop the trace with Ctrl-C and download ssltrace.cap to your PC. Open ssltrace.cap with Wireshark and check the server_name value in the client_hello packet. That should reveal if the server_name is correct or not.

You can also share the packet capture with us, but you would propably disclose your real domain name at this point.

Hello,

Ive used the following command, because i have a ens160 adapter (VMXnet3) instead of eth0:
tcpdump -pns0 -w ssltrace.cap -i ens160 host 192.168.62.100 and tcp port 443

Ive created the tcpdump, and to me it looks correct…

Wireshark01.jpg1278×576 138 KB

Any other thoughts?

Hello again,

Ive just tried booting up a new virtual machine, and edited the windows host file, so that all the “backend” records points to the HA Proxy setup.

And when trying to access both oc.domain.com and remote.domain.com, i also get redirected to the Exchange server…

Im not sure ive understood HA Proxy correctly… but what i want to achieve is to be able to use for example port 443 to serve several servers - which i believe ive enabled when entering the if { sni -i } parameter in the configuration file.
But is there a smarter way to achieve this?