Hi.
After upgrade haproxy to version 1.9.7 from FreeBSD port i give error ... in
reverse proxy for MS Exchange.
ActiveSync, OWA - works.
MAPI stop working
(https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http?view=exchserver-2019)
Rollback to previous version of haproxy solve a problem.
haproxy -vv:
HA-Proxy version 1.9.7 2019/04/25 - https://haproxy.org/
Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-ignored-qualifiers -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wtype-limits -Wshift-negative-value -Wnull-dereference -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1
USE_REGPARM=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.1a-freebsd 20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.1a-freebsd 20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.43 2019-02-23
Running on PCRE version : 8.43 2019-02-23
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE
h2 : mode=HTX side=FE|BE
<default> : mode=HTX side=FE|BE
<default> : mode=TCP|HTTP side=FE|BE
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
config:
global
log /var/run/log local7 info
user nobody
group nobody
daemon
maxconn 20000
pidfile /var/run/haproxy.pid
external-check
ssl-server-verify none
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
defaults
mode http
option dontlognull
option http-keep-alive
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 4s
timeout server 60s
frontend fe_mail
bind IP:80
bind IP:443 ssl alpn h2,http/1.1 crt /usr/local/etc/haproxy/cert/host.cer
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
log global
log-format %ci\ %ft\ %b/%s\ %ST\ %B\ %hr\ {%sslv/%sslc}\ %HM\
\"%[capture.req.uri]\ %HV\"
maxconn 15000
option forwardfor
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i mail.domain
acl path_slash path /
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_ews path_beg -i /ews/
acl path_owa path_beg -i /owa/
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_ecp path_beg -i /ecp/
acl path_oab path_beg -i /oab/
acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm
http-request deny if path_check
http-request deny if path_ecp
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect location /owa/ code 302 if path_slash host_mail
use_backend be_exchange_https_autodiscover if path_autodiscover
use_backend be_exchange_https_activesync if path_activesync
use_backend be_exchange_https_ews if path_ews
use_backend be_exchange_https_owa if path_owa
use_backend be_exchange_https_oa if path_oa
use_backend be_exchange_https_oab if path_oab
use_backend be_exchange_https_mapi if path_mapi
default_backend be_exchange_https_default
And the problematic backend:
backend be_exchange_https_mapi
reqadd X-Forwarded-Proto:\ https
source IP
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
timeout server 600s
server ex1 IP:443 ssl verify none check source IP weight 10
server ex2 IP:443 ssl verify none check source IP weight 10
