Searching ALOHA 12.5
Configuring HTTP SSL Offload
HAProxy provides the following template to help you configure HTTP SSL offload mode.
You may have to modify these parameters to suit your environment:
-
peer
directive statements -
HAProxy server names and associated administrative IP, the SSL certificate name
bind
-
The listening IP (usually an IP address configured over VRRP)
server
-
The server name and IP addresses
- Occurrences of mail.domain.com
-
Replace every occurrence of mail.domain.com with the host name used to host your Exchange 2010 services.
Note
You can use the default peers
and backend sourceaddr
sections for other Exchange 2010 TCP based services. There is no need to duplicate them.
peers hapeelb
peer hapee1 10.0.0.1:1023
peer hapee2 10.0.0.2:1023
# Persistence tables
backend sourceaddr
stick-table size 10k type ip peers hapeelb
backend hdr_authorization
stick-table size 10k type string len 32 peers hapeelb
defaults XCHANGE2010_HTTP
mode http
log global
option httplog
balance leastconn
option dontlognull
option redispatch
option contstats
option socket-stats
timeout connect 5s
timeout server 1000s
timeout client 1000s
timeout http-request 10s
timeout http-keep-alive 1m
timeout queue 60s
option http-keep-alive
option prefer-last-server
retries 3
default-server inter 15s rise 2 fall 2
backlog 10000
# Redirection to SSL frontend
frontend ft_xchange2010_http
bind 10.0.0.3:80 name http tcp-ut 30s
mode http
option httplog
timeout client 10s
timeout http-request 10s
http-request redirect scheme https
# HTTPs frontend
frontend ft_xchange2010_http_ssl_offload
bind 10.0.0.3:443 name https tcp-ut 30s ssl crt xchange2010.pem
acl owa_redir path / /owa
http-request redirect location /owa/ if owa_redir
# concatenate the first URL folder to the string 'bk_'
# to automatically route to the right backend
use_backend bk_%[path,word(1,/),lower]
# if no backend is found, then 503 is returned
# one can setup a 'default_backend' statement
# activesync
backend bk_microsoft-server-activesync
stick on hdr(Authorization) table hdr_authorization
option httpchk GET /Microsoft-Server-ActiveSync/ HTTP/1.1rnHost: mail.domain.com
http-check expect rstatus (2..|3..|401)
server CAS1 10.0.0.15:80 check
server CAS2 10.0.0.16:80 check
# autodiscover
backend bk_autodiscover
option httpchk GET /Autodiscover/Autodiscover.xml HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
http-check expect rstatus (2..|3..|401)
server CAS1 10.0.0.15:80 check
server CAS2 10.0.0.16:80 check
# Exchange Control Panel
backend bk_ecp
cookie ALBWA insert indirect nocache
option httpchk GET /ecp/ HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
http-check expect rstatus (2..|3..)
server CAS1 10.0.0.15:80 check cookie CAS1
server CAS2 10.0.0.16:80 check cookie CAS2
# Exchange Web service
backend bk_ews
option httpchk GET /ews/ HTTP/1.1rnHost: mail.domain.com
http-check expect rstatus (2..|3..|401)
server CAS1 10.0.0.15:80 check
server CAS2 10.0.0.16:80 check
# Offline Address book
backend bk_oab
option httpchk GET /oab/ HTTP/1.1rnHost: mail.domain.com
http-check expect rstatus (2..|3..|401)
server CAS1 10.0.0.15:80 check
server CAS2 10.0.0.16:80 check
# outlookanywhere
backend bk_rpc
stick on src table sourceaddr
option httpchk RPC_IN_DATA /rpc/rpcproxy.dll?mail.xlc.local:6001 HTTP/1.1rnUser-Agent: MSRPCrnHost: mail.domain.com
http-check expect rstatus (2..|3..|401)
server CAS1 10.0.0.15:80 check
server CAS2 10.0.0.16:80 check
# Outlook Web Application
backend bk_owa
cookie ALBWA insert indirect nocache
option httpchk GET /owa/auth/logon.aspx?url=http://mail.domain.com/owa/&reason=0 HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
server CAS1 10.0.0.15:80 check cookie CAS1
server CAS2 10.0.0.16:80 check cookie CAS2
Note
To turn this configuration into SSL bridging mode, replace the :80 on each server line with :443 ssl.