Using HAProxy in front of an ActiveSync CopyCat

Hi

I’m using HAProxy in order to load balance a wide variety of Webservers etc. - one server that’s being proxied via ActiveSync is an GroupWise Mobile Sync Server, that impersonates an Microsoft Active Sync server.

I have earlier proxied such a server via Apache with ProxyPass, and that worked with the following apache conf:

SSLEngine On
SSLProxyEngine On
SSLCertificateFile /root/.acme.sh//fullchain.cer
SSLCertificateKeyFile /root/.acme.sh//cert.key
ProxyRequests Off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
SSLInsecureRenegotiation on
SSLProxyVerify none
SSLVerifyClient none
ProxyPass / https:///Microsoft-Server-ActiveSync
ProxyPassReverse / https:///Microsoft-Server-ActiveSync

I have found the following, but is uncertain if I have picked up the generel idea… and furthermore - the nomenclature seems to be deprecated.

reqirep ^(GET|POST|HEAD)\ /(.) \1\ /\2
acl response-is-redirect res.hdr(Location) -m found
rspirep ^Location:\ (http|https):///Microsoft-Server-ActiveSync/(.
) Location:\ \1://mobilesync./\2 if response-is-redirect

Any ideas?

Best regards
'Adder

Bump :slight_smile:

Anyone?

'Adder

Hi Adder
From your post it doesn’t seem to be quite clear what you are trying to do, and how that is different from any other normal Reverse-Proxy situation.
I would assume that HAProxy for ActiveSync is just a normal Reverse-Proxy. A standard config should be working already. In special implementations, where your ActiveSync server needs to have awareness of internal vs. external requests, you may want to manipulate HTTP headers - but you didn’t mention any of that.

Generally speaking, you can use HAProxy either as a layer-7 or layer-4 reverse-proxy. Layer-7 is of course more popular and more secure.

  • Layer-7: mode http will terminate the TLS certificate and establish a communication with a backend server using the http protocol.
  • Layer-4: mode tcp will forward the TCP packets (with embedded http) to a backend server. Most likely, your backend server (ActiveSync) will be presenting the TLS certificate directly to clients in this case.

Either way, the communication between HTTP client and backend server is bi-directional by default. No special config is necessary (as opposed to the explicit Apache ProxyPass and ProxyPassReverse).

There is two ways to configure HAProxy (either/or):

  • frontend section binding to a port, and a backend section with one or mulitple servers (e.g. ActiveSync)
  • listen section: essentially combining bind a backend server into one section

The following blog post gives you a pretty good idea about how to use HAProxy in a standard config:
https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/

P.S. I noticed (unfortunately), that the HAProxy community is more active, and more responsive on Slack, than here on Discord.

Hope this helps?
Toni