HAProxy provides the following template to help you configure HTTP SSL offload mode.

You may have to modify these parameters to suit your environment:

peer directive statements

HAProxy server names and associated administrative IP, the SSL certificate name

bind

The listening IP (usually an IP address configured over VRRP)

server

The server name and IP addresses

Occurrences of mail.domain.com

Replace every occurrence of mail.domain.com with the host name used to host your Exchange 2010 services.

Note

You can use the default peers and backend sourceaddr sections for other Exchange 2010 TCP based services. There is no need to duplicate them.

peers hapeelb
  peer hapee1 10.0.0.1:1023
  peer hapee2 10.0.0.2:1023

# Persistence tables
  backend sourceaddr
  stick-table size 10k type ip peers hapeelb

backend hdr_authorization
  stick-table size 10k type string len 32 peers hapeelb

defaults XCHANGE2010_HTTP
  mode http
  log global
  option httplog
  balance leastconn
  option dontlognull
  option redispatch
  option contstats
  option socket-stats
  timeout connect 5s
  timeout server 1000s
  timeout client 1000s
  timeout http-request 10s
  timeout http-keep-alive 1m
  timeout queue 60s
  option http-keep-alive
  option prefer-last-server
  retries 3
  default-server inter 15s rise 2 fall 2
  backlog 10000

# Redirection to SSL frontend
frontend ft_xchange2010_http
  bind 10.0.0.3:80 name http tcp-ut 30s
  mode http
  option httplog
  timeout client 10s
  timeout http-request 10s
  http-request redirect scheme https

# HTTPs frontend
frontend ft_xchange2010_http_ssl_offload
  bind 10.0.0.3:443 name https tcp-ut 30s ssl crt xchange2010.pem

  acl owa_redir path / /owa
  http-request redirect location /owa/  if owa_redir

  # concatenate the first URL folder to the string 'bk_'
  # to automatically route to the right backend
  use_backend bk_%[path,word(1,/),lower]

  # if no backend is found, then 503 is returned
  # one can setup a 'default_backend' statement

# activesync
backend bk_microsoft-server-activesync
  stick on hdr(Authorization) table hdr_authorization
  option httpchk GET /Microsoft-Server-ActiveSync/ HTTP/1.1rnHost: mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# autodiscover
backend bk_autodiscover
  option httpchk GET /Autodiscover/Autodiscover.xml HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Exchange Control Panel
backend bk_ecp
  cookie ALBWA insert indirect nocache
  option httpchk GET /ecp/ HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
  http-check expect rstatus (2..|3..)
  server CAS1 10.0.0.15:80 check cookie CAS1
  server CAS2 10.0.0.16:80 check cookie CAS2

# Exchange Web service
backend bk_ews
  option httpchk GET /ews/ HTTP/1.1rnHost: mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Offline Address book
backend bk_oab
  option httpchk GET /oab/ HTTP/1.1rnHost: mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# outlookanywhere
backend bk_rpc
  stick on src table sourceaddr
  option httpchk RPC_IN_DATA /rpc/rpcproxy.dll?mail.xlc.local:6001 HTTP/1.1rnUser-Agent: MSRPCrnHost: mail.domain.com
  http-check expect rstatus (2..|3..|401)
  server CAS1 10.0.0.15:80 check
  server CAS2 10.0.0.16:80 check

# Outlook Web Application
backend bk_owa
  cookie ALBWA insert indirect nocache
  option httpchk GET /owa/auth/logon.aspx?url=http://mail.domain.com/owa/&reason=0 HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
  server CAS1 10.0.0.15:80 check cookie CAS1
  server CAS2 10.0.0.16:80 check cookie CAS2

Note

To turn this configuration into SSL bridging mode, replace the :80 on each server line with :443 ssl.