HAProxy Exchange 2019

[martin14]

Hi,
I'm trying to configure HAProxy for Exchange 2019. Below is a simple configuration. OWA is working correctly. Accessing autodiscover.contoso.com.eu results in a 502 error due to an invalid gateway. Is this due to SNI str?

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: mail.contoso.com.eu (mail.contoso.com.eu)
frontend mail.contoso.com.eu
    http-response set-header Strict-Transport-Security "max-age=15768000"
    bind 1XX.13X.1XX.XX:443 name 1XX.13X.1XX.XX:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68f7689ebb8a56.76297715.certlist
    mode http
    option http-keep-alive
    default_backend WIN-EXCH-DAG-VL1913

    # logging options
    option httplog
    # ACL: autodiscover_contoso_com
    acl acl_6901efd3ec0641.97794324 hdr(host) -i autodiscover.contoso.com.eu
    # ACL: autodiscover_path
    acl acl_69036f717a55d8.11376801 path_beg -i /autodiscover/
    # ACL: mail_contoso_com_pl
    acl acl_68f76755464f75.47994961 hdr(host) -i mail.contoso.com.eu

    # ACTION: autodiscover_contoso_com_pl
    use_backend WIN-EXCH-DAG-VL1913 if acl_6901efd3ec0641.97794324 acl_69036f717a55d8.11376801
    # ACTION: mail_contoso_com_pl
    use_backend WIN-EXCH-DAG-VL1913 if acl_68f76755464f75.47994961

# Frontend (DISABLED): autodiscover.contoso.com.eu (autodiscover.contoso.com.eu)

# Backend: WIN-EXCH-DAG-VL1913 ()
backend WIN-EXCH-DAG-VL1913
    # health checking is DISABLED
    mode http
    balance roundrobin
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    option forwarded
    option forwardfor
    server WIN-EXCH01-DAG01-VL1913 10.198.13.10:443 ssl sni str(mail.contoso.com.eu) alpn h2,http/1.1 verify none resolve-prefer ipv4
    server WIN-EXCH02-DAG01-VL1913 10.198.13.11:443 ssl sni str(mail.contoso.com.eu) alpn h2,http/1.1 verify none resolve-prefer ipv4



# statistics are DISABLED






[viragomann]

Accessing autodiscover.contoso.com.eu results in a 502 error due to an invalid gateway. Is this due to SNI str?

You don't forward this to the backend.

You only forward:
mail.contoso.com.eu/*
autodiscover.contoso.com.eu/autodiscover/*

The latter one as you combinde the two autodiscover ACLs with AND.
Edit the rule and change the logical operator to OR.

[martin14]

Accessing autodiscover.contoso.com.eu results in a 502 error due to an invalid gateway. Is this due to SNI str?

You don't forward this to the backend.

You only forward:
mail.contoso.com.eu/*
autodiscover.contoso.com.eu/autodiscover/*

Which setting is this in the GUI?
Thank you.

[viragomann]

Which setting is this in the GUI?

As I wrote:

Edit the rule and change the logical operator to OR.

Rules > autodiscover_contoso_com