Using HAProxy in front of an ActiveSync CopyCat

BlackAdderDK · November 16, 2021, 7:44pm

Hi

I’m using HAProxy in order to load balance a wide variety of Webservers etc. - one server that’s being proxied via ActiveSync is an GroupWise Mobile Sync Server, that impersonates an Microsoft Active Sync server.

I have earlier proxied such a server via Apache with ProxyPass, and that worked with the following apache conf:

SSLEngine On
SSLProxyEngine On
SSLCertificateFile /root/.acme.sh//fullchain.cer
SSLCertificateKeyFile /root/.acme.sh//cert.key
ProxyRequests Off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
SSLInsecureRenegotiation on
SSLProxyVerify none
SSLVerifyClient none
ProxyPass / https:///Microsoft-Server-ActiveSync
ProxyPassReverse / https:///Microsoft-Server-ActiveSync

I have found the following, but is uncertain if I have picked up the generel idea… and furthermore - the nomenclature seems to be deprecated.

reqirep ^(GET|POST|HEAD)\ /(.) \1\ /\2
acl response-is-redirect res.hdr(Location) -m found
rspirep ^Location:\ (http|https):///Microsoft-Server-ActiveSync/(.) Location:\ \1://mobilesync./\2 if response-is-redirect

Any ideas?

Best regards
'Adder

BlackAdderDK · November 22, 2021, 9:41pm

Bump

Anyone?

'Adder

Toni · November 24, 2021, 11:16pm

Hi Adder
From your post it doesn’t seem to be quite clear what you are trying to do, and how that is different from any other normal Reverse-Proxy situation.
I would assume that HAProxy for ActiveSync is just a normal Reverse-Proxy. A standard config should be working already. In special implementations, where your ActiveSync server needs to have awareness of internal vs. external requests, you may want to manipulate HTTP headers - but you didn’t mention any of that.

Generally speaking, you can use HAProxy either as a layer-7 or layer-4 reverse-proxy. Layer-7 is of course more popular and more secure.

Layer-7: mode http will terminate the TLS certificate and establish a communication with a backend server using the http protocol.
Layer-4: mode tcp will forward the TCP packets (with embedded http) to a backend server. Most likely, your backend server (ActiveSync) will be presenting the TLS certificate directly to clients in this case.

Either way, the communication between HTTP client and backend server is bi-directional by default. No special config is necessary (as opposed to the explicit Apache ProxyPass and ProxyPassReverse).

There is two ways to configure HAProxy (either/or):

frontend section binding to a port, and a backend section with one or mulitple servers (e.g. ActiveSync)
listen section: essentially combining bind a backend server into one section

The following blog post gives you a pretty good idea about how to use HAProxy in a standard config:
https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/

P.S. I noticed (unfortunately), that the HAProxy community is more active, and more responsive on Slack, than here on Discord.

Hope this helps?
Toni

Topic		Replies	Views
Reverse Proxy for Exchange2010 OWA, OA and ActiveSync Help!	2	5611	November 13, 2018
Handling http to an https site only (pfsense/haproxy) Help!	3	422	January 9, 2024
Need help with a HTTP and HTTPS Proxy Config for multiple backend servers Help!	1	607	January 19, 2021
Application behind Haproxy with SSL offloading Help!	3	1549	August 10, 2019
Using reverse proxy with secured web sockets (WSS) Help!	3	15252	April 17, 2023

Using HAProxy in front of an ActiveSync CopyCat

Related Topics