Configure HAProxy 2.0.x to act as a L4 load balancer in front of an exchange 2016 environment.Option httpchk GET /app/webclock/#/EmployeeLogOn Use_backend internalweb_be if internalweb Redirect scheme https code 301 if ! # redirect 80 -> 443Īcl internalweb hdr(host) -i Īcl timeplus hdr(host) -i Īcl timeplus hdr(host) -i # tcp-check expect string "* OK The Microsoft Exchange IMAP4 service is ready."īind 10.y.y.y:443 ssl crt /etc/ssl/REDACTED/wild-REDACTED-com.pem Tcp-check expect string "* OK The Microsoft Exchange IMAP4 service is ready." Use_backend bk_exchange_SMTP_anon if anon_allowed Maxconn 10000 #alctl: connection max (depends on capacity)ĭefault_backend bk_exchange_SSL #alctl: default farm to useĪcl anon_allowed src 10.x.x.x 10.x.x.x 10.x.x.x # http-response set-header X-Content-Type-Options nosniff # http-response set-header X-Frame-Options SAMEORIGIN Timeout server 1000s #alctl: server inactivity timeoutĭefault-server inter 3s rise 2 fall 3 #alctl: default check parameters Timeout client 1000s #alctl: client inactivity timeout Timeout queue 30s # 30 seconds max queued on load balancerīacklog 10000 # Size of SYN backlog queueīalance roundrobin #alctl: load balancing algorithm Timeout http-request 15s # 15 seconds max for the client to send a request Timeout http-keep-alive 1s # 1 second max for the client to post next request Timeout connect s # 5 seconds max to connect or to stay in queue Retries 3 # Try to connect up to 3 times in case of failure Option contstats # Enable continuous traffic statistics updates Option redispatch # Try another server in case of connection failure Option dontlognull # Do not log connections with no requests Ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-ticketsĮrrorfile 400 /etc/haproxy/errors/400.httpĮrrorfile 403 /etc/haproxy/errors/403.httpĮrrorfile 408 /etc/haproxy/errors/408.httpĮrrorfile 500 /etc/haproxy/errors/500.httpĮrrorfile 502 /etc/haproxy/errors/502.httpĮrrorfile 503 /etc/haproxy/errors/503.httpĮrrorfile 504 /etc/haproxy/errors/504.http Ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-EC$ Stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners (protocols marked as cannot be specified using 'proto' keyword) OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3īuilt with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBINDĬompression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")Įncrypted password support via crypt(3): yesīuilt with the Prometheus exporter as a service OpenSSL library supports TLS extensions : yes Running on OpenSSL version : OpenSSL 1.1.1 OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1įeature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTSīufsize = 16384, maxrewrite = 1024, maxpollevents = 200īuilt with multi-threading support (MAX_THREADS=64, default=8).īuilt with OpenSSL version : OpenSSL 1.1.1 fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-TXZjzi/haproxy-2.0.7=.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |