Haproxy For Exchange 2016

天才小廚師楊一 2020-01-08 10:01:37 1206 收藏 1

分類專欄： Haproxy Exchange

版權

Haproxy

同時被 2 個專欄收錄

1 篇文章0 訂閱

訂閱專欄

Exchange

6 篇文章0 訂閱

haproxy.conf 的配置檔案

#---------------------------------------------------------------------

# Example configuration for a possible web application. See the

# full configuration options online.

# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt

# Global settings

global

# to have these messages end up in /var/log/haproxy.log you will

# need to:

# 1) configure syslog to accept network log events. This is done

# by adding the '-r' option to the SYSLOGD_OPTIONS in

# /etc/sysconfig/syslog

# 2) configure local2 events to go to the /var/log/haproxy.log

# file. A line like the following can be added to

# /etc/sysconfig/syslog

# local2.* /usr/local/haproxy/log/haproxy.log

log 127.0.0.1 local6 info

chroot /data/haproxy

pidfile /var/run/haproxy.pid

user root

group root

daemon

ssl-server-verify none

# turn on stats unix socket

stats socket /var/run/haproxy.stat

#--------------------------

# SSL tuning / hardening

ssl-default-bind-options no-sslv3

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

ssl-default-server-options no-sslv3

ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

tune.ssl.default-dh-param 2048

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

# Regarding timeout client and timeout server:

# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4

defaults

mode http

#mode tcp

log global

option httplog

option dontlognull

#option forwardfor except 127.0.0.0/8 # header X-Client-IP #轉發客戶IP到後端伺服器

option forwardfor header X-Forwarded-For # header X-Client-IP #轉發客戶IP到後端伺服器

option originalto #新增

option redispatch

# option contstats

retries 3

timeout http-request 10s

timeout queue 1m

timeout connect 10s

timeout client 15m # this value should be rather high with Exchange

timeout server 15m # this value should be rather high with Exchange

timeout http-keep-alive 10s

timeout check 10s

maxconn 100000

#-------------------------------------------------------

# Stats section

listen stats

bind 10.20.0.15:8000 #監聽的ip端口号

stats enable

stats refresh 30s #統計頁面自動重新整理時間

stats show-node

stats auth admin:passwd #認證使用者名和密碼

stats hide-version #隐藏HAProxy的版本号

stats uri /stats

# stats admin if TRUE #管理界面，如果認證成功了，可通過webui管理節點

# Main front-end which proxies to the back-ends

frontend fe_ex2016

# http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload

http-response set-header X-Frame-Options SAMEORIGIN

http-response set-header X-Content-Type-Options nosniff

mode http

bind *:80

bind *:443 ssl crt /etc/haproxy/ca/ca.pem

redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443 (for owa)

acl autodiscover url_beg /Autodiscover

acl autodiscover url_beg /autodiscover

acl mapi url_beg /mapi

acl rpc url_beg /rpc

acl owa url_beg /owa

acl owa url_beg /OWA

acl eas url_beg /Microsoft-Server-ActiveSync

acl eas url_beg /Microsoft-Server-activeSync

acl ecp url_beg /ecp

acl ews url_beg /EWS

acl ews url_beg /ews

acl oab url_beg /OAB

use_backend be_ex2016_autodiscover if autodiscover

use_backend be_ex2016_mapi if mapi

use_backend be_ex2016_rpc if rpc

use_backend be_ex2016_owa if owa

use_backend be_ex2016_eas if eas

use_backend be_ex2016_ecp if ecp

use_backend be_ex2016_ews if ews

use_backend be_ex2016_oab if oab

default_backend be_ex2016

#------------------------------

# Back-end section

backend be_ex2016_autodiscover

balance source

option httpchk GET /autodiscover/healthcheck.htm

option log-health-checks

http-check expect status 200

server EX1_16 10.20.0.16:443 check ssl inter 15s

server EX2_18 10.20.0.18:443 check ssl inter 15s

backend be_ex2016_mapi

option httpchk GET /mapi/healthcheck.htm

backend be_ex2016_rpc

option httpchk GET /rpc/healthcheck.htm

backend be_ex2016_owa

option httpchk GET /owa/healthcheck.htm

backend be_ex2016_eas

option httpchk GET /microsoft-server-activesync/healthcheck.htm

backend be_ex2016_ecp

option httpchk GET /ecp/healthcheck.htm

backend be_ex2016_ews

option httpchk GET /ews/healthcheck.htm

backend be_ex2016_oab

option httpchk GET /oab/healthcheck.htm

backend be_ex2016

frontend fe_exchange_smtp

mode tcp

option tcplog

bind 10.20.0.15:25 name smtp # VIP

default_backend be_exchange_smtp

backend be_exchange_smtp

#balance source

balance source

option log-health-checks

#source 0.0.0.0 usesrc clientip

server EX1_16 10.20.0.16:25 weight 10 check

server EX2_18 10.20.0.18:25 weight 20 check

#only port 25 needed in our case. The port is open (only) against our Postfix server, which handles the outgoing mail traffic (MTA). In other words, we're using an external send connector in Exchange.

frontend fe_exchange_imaps

bind 10.20.0.15:993 name imaps # ssl crt /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem <-- No need, certificate is read straight from the Exchange servers.

default_backend be_exchange_imaps

backend be_exchange_imaps

#mode http

# balance source

#balance leastconn

# stick store-request src

# stick-table type ip size 200k expire 30m

# option tcp-check

# tcp-check connect port 143

# tcp-check expect string * OK

# tcp-check connect port 993 ssl

server EX1_16 10.20.0.16:993 weight 10 check

server EX2_18 10.20.0.18:993 weight 20 check

#新增587端口

frontend fe_exchange_smtp587

bind 10.20.0.15:587 name Smtp587

default_backend be_exchange_smtp587

backend be_exchange_smtp587

server EX1_16 10.20.0.16:587 weight 10 check

server EX2_18 10.20.0.18:587 weight 20 check

————————————————

原文連結：https://blog.csdn.net/qq_39284787/article/details/103886023