HAProxy community

Reverse Proxy for Exchange2010 OWA, OA and ActiveSync


#1

Hi All,

I am very new to HAProxy software. I had compile HAProxy 1.8.14 with SSL on CentOS 7.

Business Objective
Outside users (users travelling) should be able to access their email through front-end HAProxy and it should redirect the connection to my back-end Internal Exchange server 2010 for authentication and access:

  1. OWA
  2. Outlook Anyway
  3. ActiveSync

My environment info:
Client: Uses OWA, Outlook Anywhere and mobile ActiveSync
Internal Server: MS Exchange 2010

User will access email (OWA, OA and ActiveSync) through front-end External Proxy (HAProxy) server (https://mail.example.com).
External DNS “A” record point to Public IP 202.100.100.10

My back-end Internal Exchange server is EX-01.example.com with internal IP 10.10.10.11

Please note, my email access will be secure https with SSL certificate.

Questions:

  1. To achieve the above, what will be my full haproxy.cfg settings and with SSL?

  2. What other necessary things i should do?

  3. What log setting i need to add in haproxy.cfg file and where can i see the log files?

Look forward to some experience Expert help to fulfill my requirements.


#2

you can use the below config in haproxy.cfg file:

global
log 127.0.0.1 local0 debug
chroot /var/lib/haproxy

stats socket /run/haproxy/admin.sock mode 660 level admin

stats socket /var/lib/haproxy/stats mode 660 level admin

stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none

crt-base /etc/pki/tls/certs
ca-base /etc/pki/tls/certs

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL). This list is from:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
option http-keep-alive
option prefer-last-server
option forwardfor
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 4s
timeout server 60s

errorfile 400 /etc/haproxy/errors/400.http

errorfile 403 /etc/haproxy/errors/403.http

errorfile 408 /etc/haproxy/errors/408.http

errorfile 500 /etc/haproxy/errors/500.http

errorfile 502 /etc/haproxy/errors/502.http

errorfile 503 /etc/haproxy/errors/503.http

errorfile 504 /etc/haproxy/errors/504.http

frontend ft_exchange_https
bind 10.1.1.22:80 name http
bind 10.1.1.22:443 name https ssl crt /etc/pki/tls/certs/remote.domain.com.pem crt /etc/pki/tls/certs/pbx.domain.com.pem
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ “%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1”
option socket-stats
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth YOURSTATLOGINUSER:YOURSTATLOGINPASSWORD
maxconn 1000
#tcp-request content accept if { ssl_fc_has_crt }
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i remote.domain.com
acl host_assets hdr(Host) -i assets.domain.com
acl host_nc hdr(Host) -i nc.domain.com
acl host_oc hdr(Host) -i oc.domain.com
acl host_pbx hdr(Host) -i pbx.domain.com
acl path_slash path /
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_ews path_beg -i /ews/
acl path_owa path_beg -i /owa/
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_ecp path_beg -i /ecp/
acl path_oab path_beg -i /oab/
acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm
http-request deny if path_check
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect location /owa/ code 302 if path_slash host_mail
use_backend bk_exchange_https_autodiscover if path_autodiscover
use_backend bk_exchange_https_activesync if path_activesync
use_backend bk_exchange_https_ews if path_ews
use_backend bk_exchange_https_owa if path_owa
use_backend bk_exchange_https_oa if path_oa
use_backend bk_exchange_https_ecp if path_ecp
use_backend bk_exchange_https_oab if path_oab
use_backend bk_exchange_https_mapi if path_mapi
use_backend bk_assets if host_assets
use_backend bk_nc if host_oc
use_backend bk_nc if host_nc
use_backend bk_pbx if host_pbx
default_backend bk_exchange_https_default

backend bk_exchange_https_activesync
option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
http-check expect string 200\ OK
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_autodiscover
option httpchk GET /Autodiscover/HealthCheck.htm
http-check expect string 200\ OK
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_ecp
option httpchk GET /ECP/HealthCheck.htm
http-check expect string 200\ OK
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_ews
option httpchk GET /EWS/HealthCheck.htm
http-check expect string 200\ OK
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_mapi
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
timeout server 600s
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_oab
option httpchk GET /OAB/HealthCheck.htm
http-check expect string 200\ OK
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_oa
option httpchk GET /RPC/HealthCheck.htm
http-check expect string 200\ OK
timeout server 600s
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_owa
option httpchk GET /owa/HealthCheck.htm
http-check expect string 200\ OK
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_default
timeout server 60s
server mail1 10.1.1.5:443 ssl verify none maxconn 1000 weight 10 check

#frontend ft_exchange_smtp

mode tcp

bind 10.1.1.22:25 name smtp

maxconn 10000

default_backend bk_exchange_smtp

#backend bk_exchange_smtp

mode tcp

server mail1 10.1.1.5:25 maxconn 10000 weight 10 check

#frontend ft_exchange_smtps

mode tcp

bind 10.1.1.22:587 name smtps

maxconn 10000

default_backend bk_exchange_smtps

#backend bk_exchange_smtps

mode tcp

server mail1 10.1.1.5:587 maxconn 10000 weight 10 check

#frontend ft_exchange_imaps

mode tcp

bind 10.1.1.22:993 name imaps

maxconn 10000

default_backend bk_exchange_imaps

#backend bk_exchange_imaps

mode tcp

balance leastconn

stick store-request src

stick-table type ip size 200k expire 30m

server mail1 10.1.1.5:993 maxconn 10000 weight 10 check

backend bk_assets
option httpclose
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-check expect string 200\ OK
server asset1 10.1.1.32:80 maxconn 1000 weight 10 check

backend bk_pbx
option httpclose
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-check expect string 200\ OK
server pbx1 10.1.1.30:80 maxconn 1000 weight 10 check

backend bk_nc
option httpclose
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-check expect string 200\ OK
server nc1 10.1.1.21:80 maxconn 1000 weight 10 check


#3

Hi Anton and forum users,

Thanks for your kind reply.
You provided detailed config and i am confused.

Sorry if my EARLIER post was not clear. My connection should be like this:

[Users] —> [HAProxy server (mail.example.com:443 with Public IP 202.100.100.10)] —> [Internal Exchange2010 server (mail.example.com:443 with Internal IP 10.10.10.11)]

My certificate signed as mail.example.com. I also required to use mail.example.com for both my HAProxy server and my Internal Exchange 2010 server. I assumed, If i dont use mail.example.com for both servers, i will received certificate & other errors.

Based on some googling, i did tried this config internally for testing and it looks to work;
global
#log 127.0.0.1 local0 notice
log 127.0.0.1 local0 debug
daemon

defaults
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next request
timeout http-request 15s # 15 seconds max for the client to send a request
timeout queue 30s # 30 seconds max queued on load balancer
timeout tarpit 1m # tarpit hold tim
backlog 10000 # Size of SYN backlog queue
balance roundrobin # load balancing algorithm
mode tcp # protocol analyzer
option tcplog # log format
log global # log activation
timeout client 300s # client inactivity timeout
timeout server 300s # server inactivity timeout
default-server inter 3s rise 2 fall 3 # default check parameters

frontend FrontEnd_HAProxy_SSL
bind *:443 name ssl
maxconn 10000
default_backend BackEnd_Exchange_SSL

backend BackEnd_Exchange_SSL
server mail.example.com 10.10.10.11 check port 443 check-ssl crt /etc/ssl/private/mail.example.com_sslCert+privKey.pem ca-file /etc/ssl/certs/CAroot.pem

listen stats # Define a listen section called “stats”
bind :8181 # Listen on localhost:7777
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth admin:123456 # Authentication credentials
stats admin if TRUE

I am sure the above config is simple, not checking my signed certificate and not secure.

Hope someone there can point me to the right direction.