Migrating from TMG 2010 to HA-PROXY as a reverse Proxy issues

pbnet · Jul 16, 2017, 8:58 AM

Hello everybody,

I would need some help achieving my goal.
I'm currently trying to migrate from a Microsoft TMG2010 Setup to using PFSense with HA-PROXY as reverse proxy.
So far, I managed to make it work when accessing an Apache server on the backend, but I get "HTTP 503" when trying to access some SharePoint backends.

I followed this tutorial: https://blog.briantruscott.com/how-to-serve-multiple-domains-from-a-single-public-ip-using-haproxy-on-pfsense/

So, here are some details:

OLD Setup:
Internet –> PFSense with NAT --> TMG2010 --> SharePoint Server

NEW Setup:
Internet --> PFSENSE with HAPROXY --> SharePoint Server.

Here is the HAPROXY configuration

Automaticaly generated, dont edit manually.

Generated on: 2017-07-16 11:40

global
maxconn 10
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 10
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend SharedFrontEnd-merged
bind WANIP:80 name WANIP:80
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl SPS2016Blog hdr(host) -i blogspsext.domain.net
use_backend LookingGlass_http_ipv4 if LG
use_backend SPS2016_http_ipv4 if SPS2016
use_backend SPS2013Blog_http_ipv4 if SPS2016Blog

backend SPS2013Blog_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
option httpchk OPTIONS /
server SPSBLOG 172.17.77.253:80 check inter 1000

Thanks a lot for any help provided.

pbnet · Jul 16, 2017, 9:34 AM

OK, I've also done a Fiddler trace and I got:

GET http://mydomain.com/favicon.ico HTTP/1.1
Accept: /
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: blogspsext.rachita.net
DNT: 1
Connection: Keep-Alive

HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html

503 Service Unavailable

No server is available to handle this request.

So it seems it doesn't even reach the backend server.
Is there any special configuration to use if the backend server should also be accessed internally via a host-header ?

Thanks.

Soyokaze · Jul 16, 2017, 1:28 PM

Look like HAProxy doesn't see backend endpoint as alive.
What it says on HAProxy -> Status page?

pbnet · Jul 16, 2017, 3:40 PM

In the status page for the SharePoint backend I get: Unauthorized.
The site on SharePoint does allow anonymous access.

Thanks