global log 127.0.0.1 local0 debug chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon ssl-server-verify none # Default SSL material locations #ca-base /etc/ssl/certs #crt-base /etc/ssl/private crt-base /etc/ssl/ca/certs ca-base /etc/ssl/ca/intermediate/certs # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option http-keep-alive option forwardfor option http-server-close option dontlognull option prefer-last-server option forwardfor no option http-tunnel no option httpclose no option forceclose timeout connect 300s timeout client 600s timeout server 60s timeout http-request 10s default-server inter 3s rise 2 fall 3 balance leastconn errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend ft_exchange2016_https bind 192.168.9.207:80 name http bind 192.168.9.207:443 name https ssl crt /etc/ssl/ca/intermediate/certs/mail.example.com.pem ca-file /etc/ssl/ca/intermediate/certs/ca-chain.crt verify required crt-ignore-err all no-sslv3 capture request header Host len 32 capture request header User-Agent len 64 capture response header Content-Length len 10 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1" stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:passwd maxconn 1000 tcp-request content accept if { ssl_fc_has_crt } acl ssl_connection ssl_fc acl host_mail hdr(Host) -i mail.example.com acl path_slash path / acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml acl path_activesync path_beg -i /Microsoft-Server-ActiveSync acl path_ews path_beg -i /ews/ acl path_owa path_beg -i /owa/ acl path_oa path_beg -i /rpc/rpcproxy.dll acl path_ecp path_beg -i /ecp/ acl path_oab path_beg -i /oab/ acl path_mapi path_beg -i /mapi/ acl path_check path_end -i HealthCheck.htm http-request deny if path_check http-request redirect scheme https code 302 unless ssl_connection http-request redirect location /owa/ code 302 if path_slash host_mail use_backend bk_exchange2016_https_autodiscover if path_autodiscover use_backend bk_exchange2016_https_activesync if path_activesync use_backend bk_exchange2016_https_ews if path_ews use_backend bk_exchange2016_https_owa if path_owa use_backend bk_exchange2016_https_oa if path_oa use_backend bk_exchange2016_https_ecp if path_ecp use_backend bk_exchange2016_https_oab if path_oab use_backend bk_exchange2016_https_mapi if path_mapi default_backend bk_exchange2016_https_default backend bk_exchange2016_https_activesync option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect string 200\ OK server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_autodiscover option httpchk GET /Autodiscover/HealthCheck.htm http-check expect string 200\ OK server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_ecp option httpchk GET /ECP/HealthCheck.htm http-check expect string 200\ OK server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_ews option httpchk GET /EWS/HealthCheck.htm http-check expect string 200\ OK server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_mapi option httpchk GET /mapi/HealthCheck.htm http-check expect string 200\ OK timeout server 600s server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_oab option httpchk GET /OAB/HealthCheck.htm http-check expect string 200\ OK server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_oa option httpchk GET /RPC/HealthCheck.htm http-check expect string 200\ OK timeout server 600s server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_owa option httpchk GET /owa/HealthCheck.htm http-check expect string 200\ OK server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check backend bk_exchange2016_https_default timeout server 60s server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check