Migrating from TMG 2010 to HA-PROXY as a reverse Proxy issues

  • Hello everybody,

    I would need some help achieving my goal.
    I'm currently trying to migrate from a Microsoft TMG2010 Setup to using PFSense with HA-PROXY as reverse proxy.
    So far, I managed to make it work when accessing an Apache server on the backend, but I get "HTTP 503" when trying to access some SharePoint backends.

    I followed this tutorial:  https://blog.briantruscott.com/how-to-serve-multiple-domains-from-a-single-public-ip-using-haproxy-on-pfsense/

    So, here are some details:

    OLD Setup:
    Internet –> PFSense with NAT --> TMG2010 --> SharePoint Server

    NEW Setup:
    Internet --> PFSENSE with HAPROXY --> SharePoint Server.

    Here is the HAPROXY configuration

    Automaticaly generated, dont edit manually.

    Generated on: 2017-07-16 11:40

    maxconn 10
    stats socket /tmp/haproxy.socket level admin
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    server-state-file /tmp/haproxy_server_state

    listen HAProxyLocalStats
    bind name localstats
    mode http
    stats enable
    stats refresh 10
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend SharedFrontEnd-merged
    bind WANIP:80 name WANIP:80 
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    acl SPS2016Blog hdr(host) -i blogspsext.domain.net
    use_backend LookingGlass_http_ipv4  if  LG
    use_backend SPS2016_http_ipv4  if  SPS2016
    use_backend SPS2013Blog_http_ipv4  if  SPS2016Blog

    backend SPS2013Blog_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    option httpchk OPTIONS /
    server SPSBLOG check inter 1000

    Thanks a lot for any help provided.

  • OK, I've also done a Fiddler trace and I got:

    GET http://mydomain.com/favicon.ico HTTP/1.1
    Accept: /
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Host: blogspsext.rachita.net
    DNT: 1
    Connection: Keep-Alive

    HTTP/1.0 503 Service Unavailable
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html

    503 Service Unavailable

    No server is available to handle this request.

    So it seems it doesn't even reach the backend server.
    Is there any special configuration to use if the backend server should also be accessed internally via a host-header ?


  • Look like HAProxy doesn't see backend endpoint as alive.
    What it says on HAProxy -> Status page?

  • In the status page for the SharePoint backend I get: Unauthorized.
    The site on SharePoint does allow anonymous access.