hermesthecat · January 10, 2022 12:04
diff --git a/haproxy.cfg b/haproxy.cfg
 global
  crt-base /etc/letsencrypt/live
  lua-load /usr/local/etc/haproxy/acme-http01-webroot.lua

  # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  # set default parameters to the intermediate configuration
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options no-sslv3 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options no-sslv3 no-tls-tickets


 defaults
  mode    http
  option  redispatch
  option  contstats
  option  socket-stats
  option  http-keep-alive
  option  prefer-last-server
  retries 3
  timeout client  1000s
  timeout server  1000s
  timeout connect 5s
  timeout http-keep-alive 1m
  timeout http-request 10s
  timeout queue 60s
  timeout tarpit 1m
  backlog 10000
  balance leastconn
  default-server inter 15s rise 2 fall 2

 # Frontends
 frontend f_http_1
  bind 10.200.128.91:80
  mode http
  timeout client 10s
  timeout http-request 10s

  acl url_acme_http01 path_beg /.well-known/acme-challenge/
  acl is_mail_vuk hdr(host) -i mail.example.org
  acl is_as_vuk hdr(host) -i autodiscover.example.org

  # letsencrypt
  http-request use-service lua.acme-http01 if METH_GET url_acme_http01

  # mail.example.org - redirect to https
  redirect scheme https code 301 if is_mail_vuk
  redirect scheme https code 301 if is_as_vuk

 frontend f_https_1
  bind 10.200.128.91:443 ssl crt /etc/letsencrypt/certs/mail.example.org/full.pem crt /etc/letsencrypt/certs/autodiscover.example.org/full.pem
  mode http

  option http-keep-alive
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  timeout client 600s
  capture request header Host len 32
  capture request header User-Agent len 64
  capture response header Content-Length len 10
  maxconn 1000

  acl is_src_is_internal src 10.200.0.0/16
  acl is_root path -i /
  acl is_mail_owa_redir path / /owa
  acl is_stats_path path_beg -i /haproxy
  acl is_mail_owa path_beg -i /owa
  acl is_mail_ecp path_beg -i /ecp
  acl is_mail_mapi path_beg -i /mapi
  acl is_mail_ews path_beg -i /EWS
  acl is_mail_oab path_beg -i /OAB
  acl is_mail_microsoft-server-activesync path_beg -i /Microsoft-Server-ActiveSync
  acl is_mail_rpc path_beg -i /rpc/rpcproxy.dll
  acl is_mail_autodiscover path_beg -i /Autodiscover
  acl is_mail_check path_end -i HealthCheck.htm
  acl is_vuk_mail hdr(host) -i mail.example.org
  acl is_vuk_autodiscover hdr(host) -i autodiscover.example.org

  # HTTP deny rules
  http-request deny if is_vuk_mail is_mail_check

  # Redirect before any backends
  http-request redirect location /owa/ if is_vuk_mail is_mail_owa_redir

  # show stats
  # use_backend hastats if is_src_is_internal is_stats_path
  use_backend bk_hastats if is_stats_path

  #
  # mail.example.org
  #

  # OWA
  use_backend bk_mail_owa if is_vuk_mail is_mail_owa

  # ECP
  use_backend bk_mail_ecp if is_vuk_mail is_mail_ecp is_src_is_internal

  # mapi
  use_backend bk_mail_mapi if is_vuk_mail is_mail_mapi

  # ews
  use_backend bk_mail_ews if is_vuk_mail is_mail_ews

  # ActiveSync
  use_backend bk_mail_microsoft-server-activesync if is_vuk_mail is_mail_microsoft-server-activesync

  # RPC
  use_backend bk_mail_rpc if is_vuk_mail is_mail_rpc

  # OAB
  use_backend bk_mail_oab if is_vuk_mail is_mail_oab

  # autodiscover (why not)
  use_backend bk_mail_autodiscover if is_vuk_mail is_mail_autodiscover

  # other
  use_backend bk_mail_common if is_vuk_mail

  #
  # autodiscover.example.org
  #
  use_backend bk_mail_autodiscover if is_vuk_autodiscover is_mail_autodiscover


 # Backends
 backend bk_hastats
  mode http
  stats enable
  stats uri /haproxy
  stats show-legends
  stats hide-version

 backend bk_mail_owa
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  option httpchk GET /owa/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_ecp
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  option httpchk GET /ECP/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_mapi
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  option httpchk GET /mapi/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 600s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_ews
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  option httpchk GET /EWS/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_microsoft-server-activesync
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  option httplog
  option forwardfor
  option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_rpc
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  option httpchk GET /RPC/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 600s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_common
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_oab
  balance roundrobin
  mode http
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  log global
  option httplog
  option forwardfor
  option httpchk GET /OAB/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

 backend bk_mail_autodiscover
  balance roundrobin
  option http-keep-alive
  option prefer-last-server
  no option httpclose
  no option http-server-close
  no option forceclose
  no option http-tunnel
  mode http
  option httplog
  option forwardfor
  option httpchk GET /Autodiscover/HealthCheck.htm
  http-check expect string 200 OK
  default-server inter 3s rise 2 fall 3
  timeout server 60s
  server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check
	global
	crt-base /etc/letsencrypt/live
	lua-load /usr/local/etc/haproxy/acme-http01-webroot.lua

	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	# set default parameters to the intermediate configuration
	tune.ssl.default-dh-param 2048
	ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-server-options no-sslv3 no-tls-tickets


	defaults
	mode http
	option redispatch
	option contstats
	option socket-stats
	option http-keep-alive
	option prefer-last-server
	retries 3
	timeout client 1000s
	timeout server 1000s
	timeout connect 5s
	timeout http-keep-alive 1m
	timeout http-request 10s
	timeout queue 60s
	timeout tarpit 1m
	backlog 10000
	balance leastconn
	default-server inter 15s rise 2 fall 2

	# Frontends
	frontend f_http_1
	bind 10.200.128.91:80
	mode http
	timeout client 10s
	timeout http-request 10s

	acl url_acme_http01 path_beg /.well-known/acme-challenge/
	acl is_mail_vuk hdr(host) -i mail.example.org
	acl is_as_vuk hdr(host) -i autodiscover.example.org

	# letsencrypt
	http-request use-service lua.acme-http01 if METH_GET url_acme_http01

	# mail.example.org - redirect to https
	redirect scheme https code 301 if is_mail_vuk
	redirect scheme https code 301 if is_as_vuk

	frontend f_https_1
	bind 10.200.128.91:443 ssl crt /etc/letsencrypt/certs/mail.example.org/full.pem crt /etc/letsencrypt/certs/autodiscover.example.org/full.pem
	mode http

	option http-keep-alive
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	timeout client 600s
	capture request header Host len 32
	capture request header User-Agent len 64
	capture response header Content-Length len 10
	maxconn 1000

	acl is_src_is_internal src 10.200.0.0/16
	acl is_root path -i /
	acl is_mail_owa_redir path / /owa
	acl is_stats_path path_beg -i /haproxy
	acl is_mail_owa path_beg -i /owa
	acl is_mail_ecp path_beg -i /ecp
	acl is_mail_mapi path_beg -i /mapi
	acl is_mail_ews path_beg -i /EWS
	acl is_mail_oab path_beg -i /OAB
	acl is_mail_microsoft-server-activesync path_beg -i /Microsoft-Server-ActiveSync
	acl is_mail_rpc path_beg -i /rpc/rpcproxy.dll
	acl is_mail_autodiscover path_beg -i /Autodiscover
	acl is_mail_check path_end -i HealthCheck.htm
	acl is_vuk_mail hdr(host) -i mail.example.org
	acl is_vuk_autodiscover hdr(host) -i autodiscover.example.org

	# HTTP deny rules
	http-request deny if is_vuk_mail is_mail_check

	# Redirect before any backends
	http-request redirect location /owa/ if is_vuk_mail is_mail_owa_redir

	# show stats
	# use_backend hastats if is_src_is_internal is_stats_path
	use_backend bk_hastats if is_stats_path

	#
	# mail.example.org
	#

	# OWA
	use_backend bk_mail_owa if is_vuk_mail is_mail_owa

	# ECP
	use_backend bk_mail_ecp if is_vuk_mail is_mail_ecp is_src_is_internal

	# mapi
	use_backend bk_mail_mapi if is_vuk_mail is_mail_mapi

	# ews
	use_backend bk_mail_ews if is_vuk_mail is_mail_ews

	# ActiveSync
	use_backend bk_mail_microsoft-server-activesync if is_vuk_mail is_mail_microsoft-server-activesync

	# RPC
	use_backend bk_mail_rpc if is_vuk_mail is_mail_rpc

	# OAB
	use_backend bk_mail_oab if is_vuk_mail is_mail_oab

	# autodiscover (why not)
	use_backend bk_mail_autodiscover if is_vuk_mail is_mail_autodiscover

	# other
	use_backend bk_mail_common if is_vuk_mail

	#
	# autodiscover.example.org
	#
	use_backend bk_mail_autodiscover if is_vuk_autodiscover is_mail_autodiscover


	# Backends
	backend bk_hastats
	mode http
	stats enable
	stats uri /haproxy
	stats show-legends
	stats hide-version

	backend bk_mail_owa
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	option httpchk GET /owa/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_ecp
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	option httpchk GET /ECP/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_mapi
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	option httpchk GET /mapi/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 600s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_ews
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	option httpchk GET /EWS/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_microsoft-server-activesync
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	option httplog
	option forwardfor
	option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_rpc
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	option httpchk GET /RPC/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 600s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_common
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_oab
	balance roundrobin
	mode http
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	log global
	option httplog
	option forwardfor
	option httpchk GET /OAB/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check

	backend bk_mail_autodiscover
	balance roundrobin
	option http-keep-alive
	option prefer-last-server
	no option httpclose
	no option http-server-close
	no option forceclose
	no option http-tunnel
	mode http
	option httplog
	option forwardfor
	option httpchk GET /Autodiscover/HealthCheck.htm
	http-check expect string 200 OK
	default-server inter 3s rise 2 fall 3
	timeout server 60s
	server r6-m1-exch1 r6-m1-exch1.r6.loc:80 maxconn 1000 weight 10 check
No results found