Haproxy For Exchange 2016

帅比萌擦擦* 提交于 2020-01-27 05:36:42

haproxy.conf 的配置文件

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /usr/local/haproxy/log/haproxy.log
    #
    log         127.0.0.1  local6  info
    chroot      /data/haproxy
    pidfile     /var/run/haproxy.pid
    user        root
    group       root
    daemon
    ssl-server-verify none

    # turn on stats unix socket
    stats socket /var/run/haproxy.stat      


#--------------------------
# SSL tuning / hardening
#--------------------------
    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-server-options no-sslv3
    ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    tune.ssl.default-dh-param 2048
    
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

# Regarding timeout client and timeout server: 
# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4

defaults
    mode                    http
    #mode                    tcp
    log                     global
    option                  httplog
    option                  dontlognull
    #option                  forwardfor   except 127.0.0.0/8 # header X-Client-IP #转发客户IP到后端服务器
    option                  forwardfor   header X-Forwarded-For # header X-Client-IP #转发客户IP到后端服务器
    option                  originalto       #新增
    option                  redispatch
#   option                  contstats 
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          15m # this value should be rather high with Exchange
    timeout server          15m # this value should be rather high with Exchange
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 100000


#-------------------------------------------------------
# Stats section
#-------------------------------------------------------

listen stats 
        bind 10.20.0.15:8000                 #监听的ip端口号
        stats enable
        stats refresh 30s                    #统计页面自动刷新时间
        stats show-node
        stats auth admin:sunvalley@2019      #认证用户名和密码
        stats hide-version                   #隐藏HAProxy的版本号
        stats uri  /stats
#       stats   admin if TRUE                #管理界面,如果认证成功了,可通过webui管理节点

#---------------------------------------------------------------------
# Main front-end which proxies to the back-ends
#---------------------------------------------------------------------

frontend fe_ex2016
# http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
  http-response set-header X-Frame-Options SAMEORIGIN
  http-response set-header X-Content-Type-Options nosniff
  mode http
  bind *:80
  bind *:443 ssl crt /etc/haproxy/ca/sunvalley.com.cn.pem  
  redirect scheme https code 301 if !{ ssl_fc }   # redirect 80 -> 443 (for owa)
  acl autodiscover url_beg /Autodiscover
  acl autodiscover url_beg /autodiscover
  acl mapi url_beg /mapi
  acl rpc url_beg /rpc
  acl owa url_beg /owa
  acl owa url_beg /OWA
  acl eas url_beg /Microsoft-Server-ActiveSync
  acl eas url_beg /Microsoft-Server-activeSync
  acl ecp url_beg /ecp
  acl ews url_beg /EWS
  acl ews url_beg /ews
  acl oab url_beg /OAB
  use_backend be_ex2016_autodiscover if autodiscover
  use_backend be_ex2016_mapi if mapi
  use_backend be_ex2016_rpc if rpc
  use_backend be_ex2016_owa if owa
  use_backend be_ex2016_eas if eas
  use_backend be_ex2016_ecp if ecp
  use_backend be_ex2016_ews if ews
  use_backend be_ex2016_oab if oab
  default_backend be_ex2016

 

#------------------------------
# Back-end section
#------------------------------

backend be_ex2016_autodiscover
  mode http
  balance source
  option httpchk GET /autodiscover/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_mapi
  mode http
  balance source
  option httpchk GET /mapi/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_rpc
  mode http
  balance source
  option httpchk GET /rpc/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_owa
  mode http
  balance source
  option httpchk GET /owa/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_eas
  mode http
  balance source
  option httpchk GET /microsoft-server-activesync/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_ecp
  mode http
  balance source
  option httpchk GET /ecp/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_ews
  mode http
  balance source
  option httpchk GET /ews/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016_oab
  mode http
  balance source
  option httpchk GET /oab/healthcheck.htm
  option log-health-checks
  http-check expect status 200
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 

backend be_ex2016
  mode http
  balance source
  server EX1_16 10.20.0.16:443 check ssl inter 15s 
  server EX2_18 10.20.0.18:443 check ssl inter 15s 


frontend fe_exchange_smtp
    mode tcp
    option tcplog
    bind 10.20.0.15:25 name smtp # VIP
    default_backend be_exchange_smtp
 
backend be_exchange_smtp
    mode tcp
    option tcplog
    #balance source
    balance source
    option log-health-checks
    #source 0.0.0.0 usesrc clientip
    server EX1_16 10.20.0.16:25 weight 10 check
    server EX2_18 10.20.0.18:25 weight 20 check

#only port 25 needed in our case. The port is open (only) against our Postfix server, which handles the outgoing mail traffic (MTA). In other words, we're using an external send connector in Exchange.

 
frontend fe_exchange_imaps
    mode tcp
    option tcplog
    bind 10.20.0.15:993 name imaps # ssl crt /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem  <-- No need, certificate is read straight from the Exchange servers.
    default_backend be_exchange_imaps
 
backend be_exchange_imaps
    mode tcp
    #mode http
    option tcplog
#   balance source
    #balance leastconn
    balance source
    option log-health-checks
    #source 0.0.0.0 usesrc clientip
#   stick store-request src
#   stick-table type ip size 200k expire 30m
#   option tcp-check
#   tcp-check connect port 143
#   tcp-check expect string * OK
#   tcp-check connect port 993 ssl
#   tcp-check expect string * OK
    server EX1_16 10.20.0.16:993 weight 10 check
    server EX2_18 10.20.0.18:993 weight 20 check
    
#新增587端口
frontend fe_exchange_smtp587
    mode tcp
    option tcplog
    bind 10.20.0.15:587 name Smtp587
    default_backend be_exchange_smtp587
 
backend be_exchange_smtp587
    mode tcp
    option tcplog
    #balance leastconn
    balance source
    option log-health-checks
    #source 0.0.0.0 usesrc clientip
    server EX1_16 10.20.0.16:587 weight 10 check
    server EX2_18 10.20.0.18:587 weight 20 check

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!