HAProxy provides the following template to help you configure HTTP SSL offload mode.

You may have to modify these parameters to suit your environment:

peer directive statements

HAProxy server names and associated administrative IP, the SSL certificate name

bind

The listening IP (usually an IP address configured over VRRP)

server

The server name and IP addresses

Occurrences of mail.domain.com

Replace every occurrence of mail.domain.com with the host name used to host your Exchange 2010 services.

Note

You can use the default peers and backend sourceaddr sections for other Exchange 2010 TCP based services. There is no need to duplicate them.

peers hapeelb
    peer hapee1 10.0.0.1:1023
    peer hapee2 10.0.0.2:1023

# Persistence tables
backend sourceaddr
    stick-table size 10k type ip peers hapeelb

backend hdr_authorization
    stick-table size 10k type string len 32 peers hapeelb

defaults XCHANGE2010_HTTP
    mode http
    log global
    option httplog
    balance leastconn
    option dontlognull
    option redispatch
    option contstats
    option socket-stats
    timeout connect 5s
    timeout server 1000s
    timeout client 1000s
    timeout http-request 10s
    timeout http-keep-alive 1m
    timeout queue 60s
    option http-keep-alive
    option prefer-last-server
    retries 3
    default-server inter 15s rise 2 fall 2
    backlog 10000

# Redirection to SSL frontend
frontend ft_xchange2010_http
    bind 10.0.0.3:80 name http tcp-ut 30s
    mode http
    option httplog
    timeout client 10s
    timeout http-request 10s
    http-request redirect scheme https

# HTTPs frontend
frontend ft_xchange2010_http_ssl_offload
    bind 10.0.0.3:443 name https tcp-ut 30s ssl crt xchange2010.pem

    acl owa_redir path / /owa
    http-request redirect location /owa/  if owa_redir

    # concatenate the first URL folder to the string 'bk_'
    # to automatically route to the right backend
    use_backend bk_%[path,word(1,/),lower]

    # if no backend is found, then 503 is returned
    # one can setup a 'default_backend' statement

# activesync
backend bk_microsoft-server-activesync
    stick on hdr(Authorization) table hdr_authorization
    option httpchk GET /Microsoft-Server-ActiveSync/ HTTP/1.1rnHost: mail.domain.com
    http-check expect rstatus (2..|3..|401)
    server CAS1 10.0.0.15:80 check
    server CAS2 10.0.0.16:80 check

# autodiscover
backend bk_autodiscover
    option httpchk GET /Autodiscover/Autodiscover.xml HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
    http-check expect rstatus (2..|3..|401)
    server CAS1 10.0.0.15:80 check
    server CAS2 10.0.0.16:80 check

# Exchange Control Panel
backend bk_ecp
    cookie ALBWA insert indirect nocache
    option httpchk GET /ecp/ HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
    http-check expect rstatus (2..|3..)
    server CAS1 10.0.0.15:80 check cookie CAS1
    server CAS2 10.0.0.16:80 check cookie CAS2

# Exchange Web service
backend bk_ews
    option httpchk GET /ews/ HTTP/1.1rnHost: mail.domain.com
    http-check expect rstatus (2..|3..|401)
    server CAS1 10.0.0.15:80 check
    server CAS2 10.0.0.16:80 check

# Offline Address book
backend bk_oab
    option httpchk GET /oab/ HTTP/1.1rnHost: mail.domain.com
    http-check expect rstatus (2..|3..|401)
    server CAS1 10.0.0.15:80 check
    server CAS2 10.0.0.16:80 check

# outlookanywhere
backend bk_rpc
    stick on src table sourceaddr
    option httpchk RPC_IN_DATA /rpc/rpcproxy.dll?mail.xlc.local:6001 HTTP/1.1rnUser-Agent: MSRPCrnHost: mail.domain.com
    http-check expect rstatus (2..|3..|401)
    server CAS1 10.0.0.15:80 check
    server CAS2 10.0.0.16:80 check

# Outlook Web Application
backend bk_owa
    cookie ALBWA insert indirect nocache
    option httpchk GET /owa/auth/logon.aspx?url=http://mail.domain.com/owa/&reason=0 HTTP/1.1rnUser-Agent: Mozilla/5.0rnHost: mail.domain.com
    server CAS1 10.0.0.15:80 check cookie CAS1
    server CAS2 10.0.0.16:80 check cookie CAS2

Note

To turn this configuration into SSL bridging mode, replace the :80 on each server line with :443 ssl.