@davidenzomedina wrote:
Hi, I’m new to HAPROXY and I have a problem with some clients that cannot access haproxy services from a specific network on WAN.
When they try to access it from a web browser it keeps waiting for a response. The first thing I figured is routing, but ping works, and when I try to access the stats page y pops out the authentication window, but then it just keeps working and nothing is returned. If I try to direct access the service backends bypassing the haproxy it works.
This is my setting:
- Servers: 2 CentOS 7 with keepalived cluster for HA.
- HAProxy: 1.5.18 (the one that comes with this CentOS version via yum).
- Network: 2 interfaces: ens160 (DMZ) and ens192 (LAN and WAN).
- Routes: default gateway configured for ens160. Specific static routes added for ens192.
- Firewall: ports 80, 443, 9000 and others are opened.
- SELinux: enabled (I tried disabling it, but no luck).
HAProxy Configuration (I modified some sensible info):
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log 127.0.0.1 local2 info chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats tune.ssl.default-dh-param 2048 #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 balance leastconn default-server inter 3s rise 2 fall 3 #--------------------------------------------------------------------- # Exchange HTTPS Frontend #--------------------------------------------------------------------- frontend exchange_https_frontend bind *:443 name https ssl crt /etc/ssl/certs/mycert.pem mode http option http-keep-alive no option httpclose no option http-server-close no option forceclose option contstats option dontlognull log global option httplog option forwardfor except 127.0.0.0/8 timeout client 25s timeout http-keep-alive 1s timeout http-request 15s maxconn 10000 acl ssl_connection ssl_fc acl host_mail hdr(Host) -i my.mail.com acl path_slash path / acl path_owa path_beg -i /owa/ acl path_ecp path_beg -i /ecp/ acl path_ews path_beg -i /ews/ acl path_activesync path_beg -i /Microsoft-Server-ActiveSync acl path_oa path_beg -i /rpc/rpcproxy.dll acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml acl path_ps path_beg -i /Powershell/ acl path_oab path_beg -i /oab/ ###acl path_mapi path_beg -i /mapi/ acl path_check path_end -i HealthCheck.htm # HTTP deny rules http-request deny if path_check # HTTP redirect rules http-request redirect scheme https code 302 unless ssl_connection http-request redirect location /owa/ code 302 if path_slash host_mail # HTTP routing rules use_backend exchange_https_owa_backend if path_owa use_backend exchange_https_ecp_backend if path_ecp use_backend exchange_https_ews_backend if path_ews use_backend exchange_https_activesync_backend if path_activesync use_backend exchange_https_oa_backend if path_oa use_backend exchange_https_autodiscover_backend if path_autodiscover use_backend exchange_https_ps_backend if path_ps use_backend exchange_https_oab_backend if path_oab ###use_backend exchange_https_mapi if path_mapi # other services go here default_backend exchange_https_default_backend #--------------------------------------------------------------------- # Exchange HTTPS Backends #--------------------------------------------------------------------- # Outlook Web Access (OWA): backend exchange_https_owa_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /owa/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Exchange Control Panel (ECP): backend exchange_https_ecp_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /ECP/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Exchange Web Services (EWS): backend exchange_https_ews_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /EWS/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Exchange Active Sync (EAS): backend exchange_https_activesync_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Outlook Anywhere (OA): backend exchange_https_oa_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /RPC/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Autodiscover (AU): backend exchange_https_autodiscover_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /Autodiscover/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # PowerShell (PS): backend exchange_https_ps_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Offline Address Book (OAB): backend exchange_https_oab_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor option httpchk GET /OAB/HealthCheck.htm http-check expect string 200\ OK server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check # Exchange Default Backend: backend exchange_https_default_backend option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel option forwardfor server server151 192.168.5.151:443 maxconn 10000 weight 10 ssl verify none check server server152 192.168.5.152:443 maxconn 10000 weight 10 ssl verify none check server server153 192.168.5.153:443 maxconn 10000 weight 10 ssl verify none check server server154 192.168.5.154:443 maxconn 10000 weight 10 ssl verify none check #--------------------------------------------------------------------- # Exchange SMTP Settings #--------------------------------------------------------------------- listen smtp25 *:25 mode tcp option tcplog balance leastconn option tcp-check tcp-check expect string 220 default-server inter 3s rise 2 fall 3 server server151 192.168.5.151:25 check server server152 192.168.5.152:25 check server server153 192.168.5.153:25 check server server154 192.168.5.154:25 check listen smtp587 *:587 mode tcp option tcplog balance leastconn option tcp-check tcp-check expect string 220 default-server inter 3s rise 2 fall 3 server server151 192.168.5.151:587 check server server152 192.168.5.152:587 check server server153 192.168.5.153:587 check server server154 192.168.5.154:587 check #--------------------------------------------------------------------- # HAProxy stats page: #--------------------------------------------------------------------- listen stats :9000 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth admin:mypassword
Posts: 2
Participants: 2