haproxy.conf 的配置文件
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /usr/local/haproxy/log/haproxy.log
#
log 127.0.0.1 local6 info
chroot /data/haproxy
pidfile /var/run/haproxy.pid
user root
group root
daemon
ssl-server-verify none
# turn on stats unix socket
stats socket /var/run/haproxy.stat
#--------------------------
# SSL tuning / hardening
#--------------------------
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
# Regarding timeout client and timeout server:
# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4
defaults
mode http
#mode tcp
log global
option httplog
option dontlognull
#option forwardfor except 127.0.0.0/8 # header X-Client-IP #轉發客戶IP到後端服務器
option forwardfor header X-Forwarded-For # header X-Client-IP #轉發客戶IP到後端服務器
option originalto #新增
option redispatch
# option contstats
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 15m # this value should be rather high with Exchange
timeout server 15m # this value should be rather high with Exchange
timeout http-keep-alive 10s
timeout check 10s
maxconn 100000
#-------------------------------------------------------
# Stats section
#-------------------------------------------------------
listen stats
bind 10.20.0.15:8000 #監聽的ip端口號
stats enable
stats refresh 30s #統計頁面自動刷新時間
stats show-node
stats auth admin:passwd #認證用戶名和密碼
stats hide-version #隱藏HAProxy的版本號
stats uri /stats
# stats admin if TRUE #管理界面,如果認證成功了,可通過webui管理節點
#---------------------------------------------------------------------
# Main front-end which proxies to the back-ends
#---------------------------------------------------------------------
frontend fe_ex2016
# http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
mode http
bind *:80
bind *:443 ssl crt /etc/haproxy/ca/ca.pem
redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443 (for owa)
acl autodiscover url_beg /Autodiscover
acl autodiscover url_beg /autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl owa url_beg /OWA
acl eas url_beg /Microsoft-Server-ActiveSync
acl eas url_beg /Microsoft-Server-activeSync
acl ecp url_beg /ecp
acl ews url_beg /EWS
acl ews url_beg /ews
acl oab url_beg /OAB
use_backend be_ex2016_autodiscover if autodiscover
use_backend be_ex2016_mapi if mapi
use_backend be_ex2016_rpc if rpc
use_backend be_ex2016_owa if owa
use_backend be_ex2016_eas if eas
use_backend be_ex2016_ecp if ecp
use_backend be_ex2016_ews if ews
use_backend be_ex2016_oab if oab
default_backend be_ex2016
#------------------------------
# Back-end section
#------------------------------
backend be_ex2016_autodiscover
mode http
balance source
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_mapi
mode http
balance source
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_rpc
mode http
balance source
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_owa
mode http
balance source
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_eas
mode http
balance source
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_ecp
mode http
balance source
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_ews
mode http
balance source
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016_oab
mode http
balance source
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
backend be_ex2016
mode http
balance source
server EX1_16 10.20.0.16:443 check ssl inter 15s
server EX2_18 10.20.0.18:443 check ssl inter 15s
frontend fe_exchange_smtp
mode tcp
option tcplog
bind 10.20.0.15:25 name smtp # VIP
default_backend be_exchange_smtp
backend be_exchange_smtp
mode tcp
option tcplog
#balance source
balance source
option log-health-checks
#source 0.0.0.0 usesrc clientip
server EX1_16 10.20.0.16:25 weight 10 check
server EX2_18 10.20.0.18:25 weight 20 check
#only port 25 needed in our case. The port is open (only) against our Postfix server, which handles the outgoing mail traffic (MTA). In other words, we're using an external send connector in Exchange.
frontend fe_exchange_imaps
mode tcp
option tcplog
bind 10.20.0.15:993 name imaps # ssl crt /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem <-- No need, certificate is read straight from the Exchange servers.
default_backend be_exchange_imaps
backend be_exchange_imaps
mode tcp
#mode http
option tcplog
# balance source
#balance leastconn
balance source
option log-health-checks
#source 0.0.0.0 usesrc clientip
# stick store-request src
# stick-table type ip size 200k expire 30m
# option tcp-check
# tcp-check connect port 143
# tcp-check expect string * OK
# tcp-check connect port 993 ssl
# tcp-check expect string * OK
server EX1_16 10.20.0.16:993 weight 10 check
server EX2_18 10.20.0.18:993 weight 20 check
#新增587端口
frontend fe_exchange_smtp587
mode tcp
option tcplog
bind 10.20.0.15:587 name Smtp587
default_backend be_exchange_smtp587
backend be_exchange_smtp587
mode tcp
option tcplog
#balance leastconn
balance source
option log-health-checks
#source 0.0.0.0 usesrc clientip
server EX1_16 10.20.0.16:587 weight 10 check
server EX2_18 10.20.0.18:587 weight 20 check