HAProxy Enterprise Documentation 12.0

Configuring HTTP SSL Forward Mode

HAProxy provides the following template to help you configure HTTP SSL forward mode.

You may have to modify these parameters to suit your environment:

peer directive statements

HAProxy server names and associated administrative IP


The listening IP (usually an IP address configured over VRRP)


The server name and IP addresses


You can use the defaults XCHANGE2010_TCP, peers and backend sourceaddr sections for other Exchange 2010 TCP based services. There is no need to duplicate them.

peers hapeelb
    peer hapee1
    peer hapee2

# Persistence table
backend sourceaddr
    stick-table size 10k type ip peers hapeelb

defaults XCHANGE2010_TCP
    mode tcp
    log global
    option tcplog
    balance leastconn
    option dontlognull
    option redispatch
    option contstats
    option socket-stats
    timeout server 600s
    timeout client 600s
    timeout connect 5s
    timeout queue 60s
    retries 3
    default-server inter 15s rise 2 fall 2
    backlog 10000

# Redirection to SSL frontend
frontend ft_xchange2010_http
    bind name http tcp-ut 30s
    mode http
    option httplog
    timeout client 10s
    timeout http-request 10s
    redirect scheme https

frontend ft_xchange2010_ssl_forward
    bind name https tcp-ut 30s
    default_backend bk_xchange2010_ssl_forward

backend bk_xchange2010_ssl_forward
    stick on src table sourceaddr
    option tcp-check
    tcp-check connect port 43 ssl
    server CAS1 check
    server CAS2 check

Next up

Configuring HTTP SSL Offload