On Tue, Nov 25, 2014 at 4:29 PM, Yosef Amir <amir.yo...@comverse.com> wrote: > Hi HAProxy team, > I have few questions related HAProxy 1.5.8. IMAP SSL health-check mechanism > and configuration. > For plain IMAP configuration (no SSl) the health-check for the backend > servers with the logic of active/no-active server according the banner > response seems to work just fine. > I would like to know if I can get same IMAP health-check result/support for > IMAP backend server support SSL. > > I would like to understand if the following is supported by HAPROXY 1.5.8 > health-check mechanism: > > HAProxy to open SSL connection to the IMAP server ( i.g on port 443). > HAProxy to perform SSL negotiation and accept any certificate that the > backend server send. > After SSL negotiation HAProxy to check the IMAP banner (probably need to > decrypt the server response) > HAProxy to compare the banner response the predefine string (as works for > plain test health check on port 143). > > > Does HAProxy source/kit contains open SSL binaries? Can HAProxy work/linkage > to existing open SSL on my Linux unit? How can I control it? Can I configure > the HAProxy with the open SSL path that exist on my unit > > > > Thanks > Amir Yosef > > > _____________________________________________ > From: Yosef Amir > Sent: Tuesday, November 25, 2014 8:39 AM > To: 'haproxy@formilux.org' > Subject: Health-check with banner for IMAP over SSL > > > Hi HAProxy team, > I have few questions related HAProxy 1.5.8. IMAP SSL health-check mechanism > and configuration. > For plain IMAP configuration (no SSl) the health-check for the backend > servers with the logic of active/no-active server according the banner > response seems to work just fine. > I would like to know if I can get same IMAP health-check result/support for > IMAP backend server support SSL. > > I would like to understand if the following is supported by HAPROXY 1.5.8 > health-check mechanism: > > HAProxy to open SSL connection to the IMAP server ( i.g on port 443). > HAProxy to perform SSL negotiation and accept and certificate that the > backend server send. > After SSL negotiation HAProxy to check the IMAP banner (probably need to > decrypt the server response) > HAProxy to compare the banner response the predefine string (as works for > plain test health check on port 143). > > > Does HAProxy source/kit contains open SSL binaries? Can HAProxy work/linkage > to existing open SSL on my Linux unit? How can I control it? Can I configure > the HAProxy with the open SSL path that exist on my unit > > Thanks > Amir Yosef > > > ________________________________ > "This e-mail message may contain confidential, commercial or privileged > information that constitutes proprietary information of Comverse Inc. or its > subsidiaries. If you are not the intended recipient of this message, you are > hereby notified that any review, use or distribution of this information is > absolutely prohibited and we request that you delete all copies and contact > us by e-mailing to: secur...@comverse.com. Thank You."
Hi Amir, Thanks for posting in a new thread :) So, first, you must compile HAProxy with OpenSSL support (install first openssl librairies from your operating system). Then the configuration of IMAP health check can be scripted through the tcp-check feature: option tcp-check tcp-check connect port 143 tcp-check expect string *\ OK tcp-check connect port 993 ssl tcp-check expect string *\ OK Replace the expected string by the one sent by your server. Don't forget to escape spaces in the expected string. The example above applies on Exchange 2013 and is issued from the HAProxy deployment guide for Exchange 2013 (page 39): http://www.haproxy.com/static/media/uploads/eng/resources/aloha_load_balancer_appnotes_0065_exchange_2013_deployment_guide_en.pdf Baptiste
