I used HAProxy on a separate member server to distribute the requests from the internet to other member servers.
This works fine until a direct call to a path on the target is required.
This is for example the case with Kopano, which web interface is called locally with

http://ucs-xxxx.my.domain.de/kopano

But with HAProxy it´s not possible to use this syntax:

…
backend kopano
redirect scheme https if! {ssl_fc}
server kopano ucs-xxxx.my.domain.com:443/webapp ssl verify none check
…

because the “/ webapp” is cut off by HAProxy and as a result the Univention portal is displayed.
Without port HAProxy does not even start.

Same problem also appears with Nextcloud.

Is there a solution for config inside HAProxy or must I set up on the respective member server a “reverse proxy” option in the Apache config (see here) ?

Hi @Knappe,

my two cents:

• is /webapp ‘cut off’ by HAproxy or is it redirected on the backend?
• how do you check on the frontend?

Best,
Bernd

it looks like it’s being cut off by HAProxy.

Here /var/log/haprox.log with access from an iPhone with the url “webmail.domain.de”:

Nov 15 14:14:07 ucs-XXXX haproxy[21476]: 109.41.0.249:23197 [15/Nov/2019:14:14:07.661] https-in~ kopano_servers/kopano 0/0/3/88/91 200 232 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:08 ucs-XXXX haproxy[21476]: 109.41.0.249:24394 [15/Nov/2019:14:14:08.180] https-in~ kopano_servers/kopano 0/0/1/271/272 200 296 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=FolderSync HTTP/1.1”
Nov 15 14:14:33 ucs-XXXX haproxy[21476]: 109.41.0.249:5348 [15/Nov/2019:14:14:09.553] https-in~ kopano_servers/kopano 0/0/3/24076/24079 200 258 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Ping HTTP/1.1”
Nov 15 14:14:34 ucs-XXXX haproxy[21476]: 109.41.0.249:31467 [15/Nov/2019:14:14:34.859] https-in~ kopano_servers/kopano 0/0/2/101/103 200 375 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:35 ucs-XXXX haproxy[21476]: 109.41.0.249:3026 [15/Nov/2019:14:14:35.281] https-in~ kopano_servers/kopano 0/0/0/83/83 200 305 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:35 ucs-XXXX haproxy[21476]: 109.41.0.249:20441 [15/Nov/2019:14:14:35.721] https-in~ kopano_servers/kopano 0/0/0/70/70 200 232 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:44 ucs-XXXX haproxy[21476]: 109.41.0.249:24110 [15/Nov/2019:14:14:36.900] https-in~ kopano_servers/kopano 0/0/2/8064/8066 200 258 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Ping HTTP/1.1”
Nov 15 14:14:46 ucs-XXXX haproxy[21476]: 109.41.0.249:7721 [15/Nov/2019:14:14:45.880] https-in~ kopano_servers/kopano 0/0/2/139/141 200 434 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:46 ucs-XXXX haproxy[21476]: 109.41.0.249:19717 [15/Nov/2019:14:14:46.365] https-in~ kopano_servers/kopano 0/0/1/83/84 200 305 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:46 ucs-XXXX haproxy[21476]: 109.41.0.249:16386 [15/Nov/2019:14:14:46.758] https-in~ kopano_servers/kopano 0/0/3/69/72 200 232 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:51 ucs-XXXX haproxy[21476]: 109.41.0.249:7782 [15/Nov/2019:14:14:47.798] https-in~ kopano_servers/kopano 0/0/1/3902/3903 200 258 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Ping HTTP/1.1”
Nov 15 14:14:52 ucs-XXXX haproxy[21476]: 109.41.0.249:21518 [15/Nov/2019:14:14:52.202] https-in~ kopano_servers/kopano 0/0/3/64/67 200 365 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:52 ucs-XXXX haproxy[21476]: 109.41.0.249:28322 [15/Nov/2019:14:14:52.553] https-in~ kopano_servers/kopano 0/0/0/108/108 200 305 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:14:53 ucs-XXXX haproxy[21476]: 109.41.0.249:22959 [15/Nov/2019:14:14:52.943] https-in~ kopano_servers/kopano 0/0/3/63/66 200 232 - - ---- 1/1/0/1/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Sync HTTP/1.1”
Nov 15 14:15:11 ucs-XXXX haproxy[21476]: 37.49.230.18:50675 [15/Nov/2019:14:15:11.020] http-in portal_servers/ 0/-1/-1/-1/0 302 116 - - LR-- 1/0/0/0/3 0/0 “HEAD /robots.txt HTTP/1.0”
Nov 15 14:15:44 ucs-XXXX haproxy[21476]: 109.41.0.249:2029 [15/Nov/2019:14:14:54.215] https-in~ kopano_servers/kopano 0/0/0/-1/50003 504 195 - - sH-- 0/0/0/0/0 0/0 “POST /Microsoft-Server-ActiveSync?User=name_of_iphone_user&DeviceId=7I9J1NKPGT34324D62051FAS80&DeviceType=iPhone&Cmd=Ping HTTP/1.1”
Nov 15 14:16:30 ucs-XXXX haproxy[21476]: 109.41.0.249:13078 [15/Nov/2019:14:16:30.560] https-in~ samba_servers/samba 0/0/3/25/28 200 457 - - ---- 1/1/0/0/0 0/0 “POST /univention/get/session-info HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:47.075] https-in~ kopano_servers/kopano 0/0/2/3/5 302 547 - - ---- 1/1/0/1/0 0/0 “GET / HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:47.154] https-in~ kopano_servers/kopano 0/0/1/2/3 302 769 - - ---- 1/1/0/1/0 0/0 “GET /univention/ HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:47.235] https-in~ kopano_servers/kopano 0/0/1/5/6 200 1639 - - ---- 1/1/0/1/0 0/0 “GET /univention/portal/ HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:47.357] https-in~ kopano_servers/kopano 0/0/1/2/3 304 230 - - ---- 1/1/0/1/0 0/0 “GET /univention/portal/portal.css HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:47.517] https-in~ kopano_servers/kopano 0/0/1/2/3 403 940 - - ---- 3/3/0/1/0 0/0 “GET /univention/portal/custom.css HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:4805 [15/Nov/2019:14:16:47.529] https-in~ kopano_servers/kopano 0/0/1/1/2 200 2475 - - ---- 3/3/0/0/0 0/0 “GET /univention/js/config.js HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:47.741] https-in~ kopano_servers/kopano 0/0/0/1/1 200 513 - - ---- 3/3/1/2/0 0/0 “GET /univention/languages.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:47.811] https-in~ kopano_servers/kopano 0/0/1/1/2 200 461 - - ---- 3/3/1/2/0 0/0 “GET /univention/js/umc/i18n/de/branding.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:4805 [15/Nov/2019:14:16:47.814] https-in~ kopano_servers/kopano 0/0/1/1/2 200 29082 - - ---- 3/3/1/2/0 0/0 “GET /univention/js/umc/i18n/de/app.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:47.877] https-in~ kopano_servers/kopano 0/0/1/8/9 200 502 - - ---- 3/3/1/2/0 0/0 “GET /univention/js/dojo/resources/blank.gif?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:47 ucs-XXXX haproxy[21476]: 109.41.0.249:15523 [15/Nov/2019:14:16:47.982] https-in~ kopano_servers/kopano 0/0/1/2/3 200 3624 - - ---- 5/5/1/1/0 0/0 “GET /univention/login/i18n/de/main.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:47.737] https-in~ kopano_servers/kopano 0/0/3/280/283 200 952 - - ---- 5/5/0/0/0 0/0 “GET /univention/get/meta?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:6567 [15/Nov/2019:14:16:48.041] https-in~ kopano_servers/kopano 0/0/1/1/2 200 1418 - - ---- 5/5/0/1/0 0/0 “GET /favicon.ico HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:48.089] https-in~ kopano_servers/kopano 0/0/1/1/2 200 623 - - ---- 5/5/0/1/0 0/0 “GET /univention/js/umc/hooks.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:48.116] https-in~ kopano_servers/kopano 0/0/1/5/6 401 446 - - ---- 5/5/0/1/0 0/0 “POST /univention/get/session-info HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:15523 [15/Nov/2019:14:16:48.145] https-in~ kopano_servers/kopano 0/0/0/4/4 200 1418 - - ---- 5/5/2/3/0 0/0 “GET /univention/portal/apps.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:48.147] https-in~ kopano_servers/kopano 0/0/2/1/3 200 4348 - - ---- 5/5/1/1/0 0/0 “GET /univention/portal/i18n/de/main.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:48.181] https-in~ kopano_servers/kopano 0/0/1/1/2 200 916 - - ---- 5/5/1/2/0 0/0 “GET /univention/js/umc/hooks/i18n/de/passwordchange.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:4805 [15/Nov/2019:14:16:48.145] https-in~ kopano_servers/kopano 0/0/0/56/56 200 3274 - - ---- 5/5/1/1/0 0/0 “GET /univention/portal/portal.json?v=2.0.2-4 HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:15523 [15/Nov/2019:14:16:48.197] https-in~ kopano_servers/kopano 0/0/1/64/65 302 9903 - - ---- 5/5/0/0/0 0/0 “GET /univention/saml/iframe/ HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:48.286] https-in~ kopano_servers/kopano 0/0/1/1/2 304 231 - - ---- 5/5/2/3/0 0/0 “GET /univention/portal/icons/entries/kopano-webapp.svg HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:4805 [15/Nov/2019:14:16:48.286] https-in~ kopano_servers/kopano 0/0/1/2/4 200 2993 - - ---- 5/5/1/1/0 0/0 “GET /univention/js/dijit/themes/umc/images/ucs_logo_gray.svg HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:15523 [15/Nov/2019:14:16:48.333] https-in~ kopano_servers/kopano 0/0/0/1/1 304 232 - - ---- 5/5/1/2/0 0/0 “GET /univention/portal/icons/entries/umc-local.svg HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:7376 [15/Nov/2019:14:16:48.354] https-in~ kopano_servers/kopano 0/0/1/1/2 304 232 - - ---- 5/5/1/2/0 0/0 “GET /univention/portal/icons/entries/ucs-local-to-domain.svg HTTP/1.1”
Nov 15 14:16:48 ucs-XXXX haproxy[21476]: 109.41.0.249:12427 [15/Nov/2019:14:16:48.269] https-in~ kopano_servers/kopano 0/0/0/147/147 200 357 - - ---- 5/5/0/1/0 0/0 “POST /univention/get/modules HTTP/1.1”
Nov 15 14:17:01 ucs-XXXX haproxy[21476]: 109.41.0.249:18613 [15/Nov/2019:14:17:01.061] https-in~ samba_servers/samba 0/0/2/4/6 200 457 - - ---- 2/2/0/0/0 0/0 “POST /univention/get/session-info HTTP/1.1”

Here is an exerp from the haprox.cfg:

# # Start manual additions - proxy section

frontend http-in
bind 192.168.x.xx:80
reqadd X-Forwarded-Proto:\ http

# Define hosts

acl host_kopano hdr(host) -i webmail.domain.de
….

figure out which one to use

use_backend kopano_servers if host_kopano
….
default_backend portal_servers

frontend https-in
bind 192.168.x.xx:443 ssl crt /etc/haproxy/cert/haproxy.pem
reqadd X-Forwarded-Proto:\ https
…
# Define hosts
acl host_kopano hdr(host) -i webmail.domain.de
…
## figure out which one to use
use_backend kopano_servers if host_kopano

default_backend portal_servers

backend kopano_servers
redirect scheme https if !{ ssl_fc }
server kopano ucs-XXXX.internal.domain.de:443/webapp/index.php ssl verify none check
…
backend portal_servers
redirect scheme https if !{ ssl_fc }
server portal ucs-YYYY.internal.domain.de:443 ssl verify none check

End manual additions - proxy section

Puh, those logs are hard to read… But if I get it right, then HAproxy is telling here http-error 504 so: timeout.
This would lead to the question: is the kopano backend well defined? Did you try it without /index.php ? (actually this was the solution in the thread you linked…

?

It’s been a while since I had to build an haproxy config, but are you supposed to have the full url in the backend server statement?

If it were me, I’d start by just using the server and port number on the backend server statement and see what that got me.

server kopano ucs-XXXX.internal.domain.de:443 ssl verify none check

Then if that wasn’t working I’d look at the actual urls that get requested and see if I needed some specific rewrite or something. If you do have multiple backend servers I’d suspect you also need some way of making the clients stick to a specific backend. Maybe a cookie insert or something. You should be able to find that info pretty easily if you google it or search the docs.

The hole path in the dest url is ignored (or cutted) and the dest member server rewrite the url
from

“webmail.domain.de”
to
“webmail.domain.de/univention/portal/”
(seen in the Apache access.log on the dest server.

I don´t think that cookie settings is the solution, because the first access went wrong.

It would be better I think if the log showed the first access to the web portal for kopano. ActiveSync access has it’s own potential issues.

So I would try logging in from outside with the same url the portal link has using the server line in the config without the path as I mentioned above.

That should bypass the portal page redirection you should get if you try using just the servername to login with from the browser.

If this doesn’t make sense, then I think it would be best to post the steps you are actually using to test with. If we don’t have the exact details we have to make a bunch of assumptions about how you’re testing to fill in the gaps and that is prone to error.

It would be better I think if the log showed the first access to the web portal for kopano. ActiveSync access has it’s own potential issues

the log show the first access.

I tested the url

https://webmail.domain.de

on the iPhone with following combinations in the backend section:

server kopano ucs-XXXX.my.domain.de:443 ssl verify none check
server kopano ucs-XXXX.my.domain.de:443/webapp/ ssl verify none check
server kopano ucs-XXXX.my.domain.de:443/webapp/index.php ssl verify none check

For all variants, the result is the portal page of the target server and the entries in the pasted log are all the same.

As a supplement here are the first entries of the Apache access.log from the destination server:

192.168.xx.yy - - [15/Nov/2019:22:57:07 +0100] “GET / HTTP/1.1” 302 4094 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:22:57:07 +0100] “GET /univention/ HTTP/1.1” 302 935 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:22:57:07 +0100] “GET /univention/portal/ HTTP/1.1” 200 1805 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:22:57:07 +0100] “GET /univention/portal/portal.css HTTP/1.1” 304 396 “https://webmail.domain.de/univention/portal/” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:22:57:07 +0100] “GET /univention/js/config.js HTTP/1.1” 200 6080 “https://webmail.domain.de/univention/portal/” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
…

The destination member server is used for Kopano, Nextcloud and a lot of Samba shares.

If I use the url

https://webmail.domain.de/webapp/index.php"

on the iPhone, Kopano is started directly (as exspected without the path) !?!

In this case: haproxy.log

Nov 15 23:01:47 ucs-XXXX haproxy[16244]: 109.41.0.118:1776 [15/Nov/2019:23:01:47.833] https-in~ kopano_servers/kopano 0/0/3/5/9 200 5412 - - ---- 1/1/0/0/0 0/0 “GET /webapp/index.php HTTP/1.1”
Nov 15 23:01:47 ucs-XXXX haproxy[16244]: 109.41.0.118:1776 [15/Nov/2019:23:01:47.953] https-in~ kopano_servers/kopano 0/0/1/2/3 200 1583 - - ---- 1/1/0/1/0 0/0 “GET /webapp/client/resources/css/external/login.css HTTP/1.1”
Nov 15 23:01:48 ucs-XXXX haproxy[16244]: 109.41.0.118:1776 [15/Nov/2019:23:01:48.072] https-in~ kopano_servers/kopano 0/0/1/10/11 200 355 - - ---- 1/1/0/1/0 0/0 “POST /webapp/kopano.php?service=fingerprint HTTP/1.1”
Nov 15 23:01:48 ucs-XXXX haproxy[16244]: 109.41.0.118:29177 [15/Nov/2019:23:01:48.233] https-in~ kopano_servers/kopano 0/0/3/4/7 200 359 - - ---- 2/2/0/1/0 0/0 “POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1”

and here from Apache access.log (Samba-, Kopano-, Nextcloud-Server):

192.168.xx.yy - - [15/Nov/2019:23:01:47 +0100] “GET /webapp/index.php HTTP/1.1” 200 9017 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:23:01:47 +0100] “GET /webapp/client/resources/css/external/login.css HTTP/1.1” 200 1749 “https://webmail.domain.de/webapp/index.php” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:23:01:48 +0100] “POST /webapp/kopano.php?service=fingerprint HTTP/1.1” 200 521 “https://webmail.domain.de/webapp/index.php” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.xx.yy - - [15/Nov/2019:23:01:48 +0100] “POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1” 200 525 “https://webmail.domain.de/webapp/index.php” “Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1”
192.168.1.111 - Family \ipad [15/Nov/2019:22:48:12 +0100] “POST /Microsoft-Server-ActiveSync?User=ipad&DeviceId=1EB3FIFNUP1FDFAULU4ECAPF90&DeviceType=iPad&Cmd=Ping HTTP/1.1” 200 3666 “-” “Apple-iPad6C11/1607.102”

Any idears ?

problem solved:

The cause for the behavior of HAProxy lies in the “http-request”.
This contains the path specified by the client and must be rewritten in the backend section to “/webmail/index.php”.

In my case the correct statements are:

backend kopano
redirect scheme https if! {ssl_fc}
http-request set-path /webapp/index.php
server kopano ucs-XXXX.my.domain.com:443 ssl verify none check

From now on, it does not matter what the url in the client as path statement contains: it is always called Kopano. So also possible typos are ignored.

But beware: in the http-request always the landing page must be specified, otherwise there is a loop.

It works for Nextcloud too:

…
http-request set-path /nextcloud/apps/user_saml/saml/selectUserBackEnd?redirectUrl=
…

A good site for such manipulations can be found here

I checked the http-request clause again and it was wrong what I wrote before !

Here is the correction for Kopano and Nextcloud in the haproxy.cfg:

http-request set-uri https://ucs-XXXX.my.domain.de/webapp
server kopano ucs-XXXX.my.domain.de.de:443 ssl verify none check

http-request set-uri https://ucs-YYYY.my.domain.de/nextcloud/
server nextcloud ucs-YYYY.my.domain.de:443 ssl verify none check