0

I am facing a problem with HAPROXY on an Ubuntu 16.04 server when redirecting to show OWA on the internet. I have a domain, and I installed exchange server 2013 on windows server 2012 r2. I need to use a second frontend with tcp for OWA on both 443 and 80 ports.

The problem is that OWA appears sometimes and after refresh the page it gives error or another site of mine with different CA, because of the old frontend haproxy-in (mode http). I have LetsEncrypt for all my sites assigned to port 443.

Please, I need a solution to open OWA and the other sites with.

This is my haproxy configuration file from the first frontend:

frontend haproxy_in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/mdl.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/mail.ief.tishreen.edu.sy.pem  crt /etc/haproxy/certs/lib.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/www.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/educloud.ief.tishreen.edu.sy.pem crt /etc/haproxy/certs/vpn.ief.tishreen.edu.sy.pem
mode http
# Define Path For LetsEncrypt.........................
acl is_letsencrypt path_beg -i /.well-known/acme-challenge/
use_backend letsencrypt if is_letsencrypt
# Define hosts........................................
acl is_moodle hdr_dom(host) -i mdl.ief.tishreen.edu.sy
acl is_lib hdr_dom(host) -i lib.ief.tishreen.edu.sy
acl is_mail hdr_dom(host) -i mail.ief.tishreen.edu.sy
acl is_vpn hdr_dom(host) -i vpn.ief.tishreen.edu.sy
acl is_www hdr_dom(host) -i www.ief.tishreen.edu.sy
# Direct hosts to backend..............................
use_backend moodle if is_moodle
use_backend lib if is_lib
use_backend vpn if is_vpn
use_backend www if is_www
default_backend base
# Redirect port 80 t0 443 except lets encrypt............
redirect scheme https code 301 if !{ ssl_fc } !is_letsencrypt
### exchange owa frontend####
frontend exchange-server
bind *:80
bind *:443
mode tcp
acl is_mail hdr_dom(host) -i mail.ief.tishreen.edu.sy
use_backend mail if is_mail

default_backend base

backend mail
balance roundrobin
mode tcp
server vm3 172.17.16.22:443 check
######################
#            #
#   Backends     #
#            #
######################
backend letsencrypt
server letsencrypt 127.0.0.1:8888
backend moodle
balance roundrobin
mode http
server vm1 172.17.16.20:80 check

backend lib
balance roundrobin
mode http
server vm2 172.17.16.18:80/akasia check


backend vpn
balance roundrobin
mode http
server vm4 172.17.16.35:1194 check

backend www
balance roundrobin
mode http
server vm5 172.17.16.25:80 check

backend base
balance roundrobin
mode http
server vmtest 172.17.16.25:80 check


###############################
Bruce Becker
  • 302
  • 1
  • 4
  • 18
roney IT
  • 1
  • 1
  • 3
  • Since you're using HAproxy as a frontend why don't you disable https on the backend machine and use plain http? As I can see in your configuration there are a bunch of http backends already defined so I think that using http also for the email service will be fine. – Luigi Pressello Oct 21 '18 at 06:36
  • all my CA are through HAproxy so that i need 443 for them,,http for mail did not work and gave 504 error ,,so any other ideas please – roney IT Oct 21 '18 at 13:50
  • can you show me configuration file for my problem?? – roney IT Oct 21 '18 at 13:51

2 Answers2

0

Using tcp as backend mode for an https connection will not work when the HAproxy itself is acting like an SSL terminator.

There are two ways to get your configuration working based on your setup:

1: Edit your OWA configuration to allow http connections and then use http as backend mode leaving the SSL job only to HAProxy.

2: Edit your HAProxy config to use https and no ssl verification on backend, something like:

backend mail
    balance roundrobin
    mode http
    server vm3 172.17.16.22:443 ssl verify none
Luigi Pressello
  • 171
  • 3
  • what for incoming requests? they will take default backend base before it reaches to mail's frontend – roney IT Oct 21 '18 at 14:58
  • You can't do virtualhosting with tcp mode frontend: removed option from answer. You must go with http based backend or try with https with no certificate check – Luigi Pressello Oct 21 '18 at 15:02
  • my problem solved with tcp but because there are 2 frontends i got diffrent page every refresh or error in 80 port,,so i tried with only http and i got 504 bad gateway – roney IT Oct 21 '18 at 15:08
  • To use http backend you need to reconfigure OWA IIS virtualhost to serve on port 80. Otherwise you can try with https backend with no cert check (option 2). – Luigi Pressello Oct 21 '18 at 16:12
0

try this config with only one frontend (I use one public IP and two internal servers with SSL) Both Servers are reacheable on port 443 and 80 (80 is needed to renew the letsencrypt certs). Servers are in different subnets without issues. I don't have any certs on the haproxy site, and same names in the internal and public dns.

frontend ft_ssl_vip
  mode tcp
  bind *:443
  bind *:80
  tcp-request inspect-delay 5s
  acl sslv3 req.ssl_ver 3
  tcp-request content reject if sslv3
  tcp-request content accept if { req_ssl_hello_type 1 }
  default_backend bk_ssl_default

backend bk_ssl_default
  mode tcp
# Using SNI to take routing decision
  acl exchange1 req_ssl_sni -i email.tld.com
  acl exchange2 req_ssl_sni -i autodiscover.tld.com
  acl nextcloud1 req_ssl_sni -i cloud.tld.com
  use-server server1 if exchange1
  use-server server1 if exchange2
  use-server server2 if nextcloud1

  stick-table type binary len 32 size 30k expire 30m

  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
  tcp-response content accept if serverhello

  stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello

  option ssl-hello-chk
  server server1 192.168.xx1.xx1 check
  server server2 192.168.xx2.xx2 check
alex
  • 1
  • 2