global
log 127.0.0.1 local1 debug
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
crt-base /etc/pki/tls/certs
ca-base /etc/pki/tls/certs
Default ciphers to use on SSL-enabled listening sockets.
For more information, see ciphers(1SSL). This list is from:
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option http-keep-alive
option prefer-last-server
option accept-invalid-http-request
option forwardfor
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 4s
timeout server 60s
#################### FRONTEND HTTP
frontend ft_default_http
bind *:80 name http
mode http
option httplog
redirect all other trafic to https
redirect scheme https code 301 if !{ ssl_fc }
################## FRONEND HTTPS
frontend ft_default_https
bind *:443 name https ssl crt /etc/haproxy/ssl/domains.pem
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
# Test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ “%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1”
option socket-stats
maxconn 2000
############### DOMAIN ACLS
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i domain
acl host_workflow hdr(Host) -i domain
acl host_auto hdr(Host) -i domain
acl host_ovenmon hdr(Host) -i domain
############### PATH ACLS
acl path_slash path /
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_autodiscover path_beg -i /autodiscover/autodiscover.xml
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_ews path_beg -i /ews/
acl path_owa path_beg -i /owa/
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_ecp path_beg -i /ecp/
acl path_oab path_beg -i /OAB/
acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm
http-request deny if path_check
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect location /owa/ code 302 if path_slash host_mail
############## BACKEND REDIRECTIONS
use_backend bk_exchange_https_autodiscover if path_autodiscover
use_backend bk_exchange_https_activesync if path_activesync
use_backend bk_exchange_https_ews if path_ews
use_backend bk_exchange_https_owa if path_owa
use_backend bk_exchange_https_oa if path_oa
use_backend bk_exchange_https_ecp if path_ecp
use_backend bk_exchange_https_oab if path_oab
use_backend bk_exchange_https_mapi if path_mapi
use_backend bk_workflow if host_workflow
use_backend bk_auto if host_auto
use_backend bk_ovenmon if host_ovenmon
default_backend bk_exchange_https_default
############## EXCHANGE BACKENDS
backend bk_exchange_https_activesync
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_autodiscover
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_ecp
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_ews
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_mapi
http-check expect string 200\ OK
timeout server 600s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_oab
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_oa
http-check expect string 200\ OK
timeout server 600s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_owa
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange_https_default
timeout server 60s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
backend bk_auto
timeout server 60s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check
################ BACKEND WORKFLOW
backend bk_workflow
mode http
balance roundrobin
option forwardfor
server serverwf 10.0.2.230:80 check
reqrep ^GET\ /(.*) GET\ /SWS/\1
############### LETSENCRYPT BACKEND
backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888
############## OVENS BACKEND
backend bk_ovenmon
mode http
option forwardfor
server serverovens 10.0.1.86:443 ssl verify none maxconn 1000 check
############## STATS CONFIG
listen stats # Define a listen section called “stats”
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth statsadmin:Tyr33Pr0xySt4ts # Authentication credentials