Good day
I am looking to implement haproxy and could use some help.
Here is the environment:
FQDN: domain.net
ipfire: 192.168.1.1
Web server: web.domain.net at 192.168.1.12 with an A record pointing to www.domain.net
Mail server: mail.domain.net at 192.168.1.11 with an A record pointing to zimbra.domain.net
Currently, I have setup firewall rules to forward port 80 and 443 to the web server, and SMTP, IMAP etc to the mail server.
The mail web client is accessible from http://mail.domain.net (i.e. 192.168.1.11)
My web server is running apache. There I have created a configuration for zimbra (my mail server) which looks like this:
<VirtualHost *:443>
ServerAlias zimbra.domain.net
SSLProxyEngine ON
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RSA:!RC4
SSLHonorCipherOrder on
SSLCertificateFile /ssl2buy/2021/STAR_domain_net.crt <- Note, this is the certificate of the web server
SSLCertificateKeyFile /ssl2buy/2021/domain.key
SSLCertificateChainFile /ssl2buy/2021/SectigoRSADomainValidationSecureServerCA.crt
ProxyPass "/" "http://mail.domain.net/" connectiontimeout=30000 timeout=30000
ProxyPassReverse "/" "http://mail.domain.net/"
RewriteRule ^/(.*) http://mail.domain.net/$1 [P]
ErrorLog "/var/log/httpd/zimbra/zimbra-error.log"
CustomLog "/var/log/httpd/zimbra/zimbra-custom.log" combined
</VirtualHost>
Everything works as advertised. I can access the zimbra web client by going to: https://zimbra.domain.net
Now I would like to implement haproxy.
Here are the steps which I think I have followed. For testing purpose, I have left the firewall rules in place (i.e. port 80 & 443 being forwarded to web.domain.net i.e. 192.168.1.12).
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local1
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user nobody
group nobody
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 30s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen stats
bind :9000
mode http
stats enable
stats uri /
stats auth <username>:<password>
stats refresh 30
frontend https-in
bind :2443 ssl crt /etc/haproxy/STAR_domain_net.pem
acl zimbra_mail hdr(Host) -i zimbra.domain.net
use_backend zimbra_server if zimbra_mail
default_backend web_server
backend web_server
server web.domain.net 192.168.1.12:443
backend zimbra_server
server mail.domain.net 192.168.1.11:80 send-proxy
Next, I try to access the zimbra server by going to: https://zimbra.domain.net:2443/
but I get: “The connection has timed out”
A tail -f /var/log/haproxy shows this:
Sep 24 09:25:38 localhost haproxy[27654]: Proxy https-in started.
Sep 24 09:25:38 localhost haproxy[27654]: Proxy web_server started.
Sep 24 09:25:38 localhost haproxy[27654]: Proxy zimbra_server started.
What am I doing wrong?
Renato