123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
global
log 127.0.0.1 local0 debug
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
# Default SSL material locations
#ca-base /etc/ssl/certs
#crt-base /etc/ssl/private
crt-base /etc/ssl/ca/certs
ca-base /etc/ssl/ca/intermediate/certs
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option http-keep-alive
option forwardfor
option http-server-close
option dontlognull
option prefer-last-server
option forwardfor
no option http-tunnel
no option httpclose
no option forceclose
timeout connect 300s
timeout client 600s
timeout server 60s
timeout http-request 10s
default-server inter 3s rise 2 fall 3
balance leastconn
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend ft_exchange2016_https
bind 192.168.9.207:80 name http
bind 192.168.9.207:443 name https ssl crt /etc/ssl/ca/intermediate/certs/mail.example.com.pem ca-file /etc/ssl/ca/intermediate/certs/ca-chain.crt verify required crt-ignore-err all no-sslv3
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1"
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth admin:passwd
maxconn 1000
tcp-request content accept if { ssl_fc_has_crt }
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i mail.example.com
acl path_slash path /
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_ews path_beg -i /ews/
acl path_owa path_beg -i /owa/
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_ecp path_beg -i /ecp/
acl path_oab path_beg -i /oab/
acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm
http-request deny if path_check
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect location /owa/ code 302 if path_slash host_mail
use_backend bk_exchange2016_https_autodiscover if path_autodiscover
use_backend bk_exchange2016_https_activesync if path_activesync
use_backend bk_exchange2016_https_ews if path_ews
use_backend bk_exchange2016_https_owa if path_owa
use_backend bk_exchange2016_https_oa if path_oa
use_backend bk_exchange2016_https_ecp if path_ecp
use_backend bk_exchange2016_https_oab if path_oab
use_backend bk_exchange2016_https_mapi if path_mapi
default_backend bk_exchange2016_https_default
backend bk_exchange2016_https_activesync
option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
http-check expect string 200\ OK
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_autodiscover
option httpchk GET /Autodiscover/HealthCheck.htm
http-check expect string 200\ OK
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_ecp
option httpchk GET /ECP/HealthCheck.htm
http-check expect string 200\ OK
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_ews
option httpchk GET /EWS/HealthCheck.htm
http-check expect string 200\ OK
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_mapi
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
timeout server 600s
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_oab
option httpchk GET /OAB/HealthCheck.htm
http-check expect string 200\ OK
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_oa
option httpchk GET /RPC/HealthCheck.htm
http-check expect string 200\ OK
timeout server 600s
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_owa
option httpchk GET /owa/HealthCheck.htm
http-check expect string 200\ OK
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check
backend bk_exchange2016_https_default
timeout server 60s
server exchange1 192.168.8.4:443 ssl verify none maxconn 1000 weight 10 check
server exchange2 192.168.8.5:443 ssl verify none maxconn 1000 weight 10 check