Hi,
I'm trying to configure HAProxy for Exchange 2019. Below is a simple configuration. OWA is working correctly. Accessing autodiscover.contoso.com.eu results in a 502 error due to an invalid gateway. Is this due to SNI str?
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
httpclient.resolvers.prefer ipv4
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: mail.contoso.com.eu (mail.contoso.com.eu)
frontend mail.contoso.com.eu
http-response set-header Strict-Transport-Security "max-age=15768000"
bind 1XX.13X.1XX.XX:443 name 1XX.13X.1XX.XX:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68f7689ebb8a56.76297715.certlist
mode http
option http-keep-alive
default_backend WIN-EXCH-DAG-VL1913
# logging options
option httplog
# ACL: autodiscover_contoso_com
acl acl_6901efd3ec0641.97794324 hdr(host) -i autodiscover.contoso.com.eu
# ACL: autodiscover_path
acl acl_69036f717a55d8.11376801 path_beg -i /autodiscover/
# ACL: mail_contoso_com_pl
acl acl_68f76755464f75.47994961 hdr(host) -i mail.contoso.com.eu
# ACTION: autodiscover_contoso_com_pl
use_backend WIN-EXCH-DAG-VL1913 if acl_6901efd3ec0641.97794324 acl_69036f717a55d8.11376801
# ACTION: mail_contoso_com_pl
use_backend WIN-EXCH-DAG-VL1913 if acl_68f76755464f75.47994961
# Frontend (DISABLED): autodiscover.contoso.com.eu (autodiscover.contoso.com.eu)
# Backend: WIN-EXCH-DAG-VL1913 ()
backend WIN-EXCH-DAG-VL1913
# health checking is DISABLED
mode http
balance roundrobin
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
option forwarded
option forwardfor
server WIN-EXCH01-DAG01-VL1913 10.198.13.10:443 ssl sni str(mail.contoso.com.eu) alpn h2,http/1.1 verify none resolve-prefer ipv4
server WIN-EXCH02-DAG01-VL1913 10.198.13.11:443 ssl sni str(mail.contoso.com.eu) alpn h2,http/1.1 verify none resolve-prefer ipv4
# statistics are DISABLED
Quote from: martin14 on November 04, 2025, 03:52:17 PMAccessing autodiscover.contoso.com.eu (https://autodiscover.contoso.com.eu/) results in a 502 error due to an invalid gateway. Is this due to SNI str?
You don't forward this to the backend.
You only forward:
mail.contoso.com.eu/*
autodiscover.contoso.com.eu/autodiscover/*
The latter one as you combinde the two autodiscover ACLs with AND.
Edit the rule and change the logical operator to OR.
Quote from: viragomann on November 04, 2025, 04:10:47 PMQuote from: martin14 on November 04, 2025, 03:52:17 PMAccessing autodiscover.contoso.com.eu (https://autodiscover.contoso.com.eu/) results in a 502 error due to an invalid gateway. Is this due to SNI str?
You don't forward this to the backend.
You only forward:
mail.contoso.com.eu/*
autodiscover.contoso.com.eu/autodiscover/*
Which setting is this in the GUI?
Thank you.
Quote from: martin14 on November 04, 2025, 05:19:24 PMWhich setting is this in the GUI?
As I wrote:
Quote from: viragomann on November 04, 2025, 04:10:47 PMEdit the rule and change the logical operator to OR.
Rules > autodiscover_contoso_com