Re: H/2 via Unix Sockets fails

Thu, 25 Apr 2019 06:37:43 -0700 

Hi Jarno,
thanks, your propsal seems to work. Here's a working test config based on one of our production configs: 

curl -kvs -o /dev/null https://127.0.0.1:10320 --http1.1


Apr 25 15:32:51 localhost haproxy[2847]: 127.0.0.1:36880 
[25/Apr/2019:15:32:51.554] genfrontend_10310-cust1 
genfrontend_10310-cust1/<NOSRV> -1/-1/-1/-1/0 503 212 - - SC-- 1/1/0/0/0 
0/0 "GET / HTTP/1.1"
Apr 25 15:32:51 localhost haproxy[2846]: 127.0.0.1:36880 
[25/Apr/2019:15:32:51.553] genlisten_10320-cust1.tls~ 
genlisten_10320-cust1.tls/socket-10310 1/0/1 212 -- 1/1/0/0/0 0/0
Apr 25 15:32:51 localhost haproxy[2841]: 127.0.0.1:36880 
[25/Apr/2019:15:32:51.549] genlisten_10320-cust1.tls-tcp 
genlisten_10320-cust1.tls-tcp/socket-10320-ecc 4/0/5 995 -- 1/1/0/0/0 
0/0



curl -kvs -o /dev/null https://127.0.0.1:10320 --http2


Apr 25 15:32:59 localhost haproxy[2847]: 127.0.0.1:36882 
[25/Apr/2019:15:32:59.246] genfrontend_10310-cust1 
genfrontend_10310-cust1/<NOSRV> -1/-1/-1/-1/0 503 212 - - SC-- 1/1/0/0/0 
0/0 "GET / HTTP/1.1"
Apr 25 15:32:59 localhost haproxy[2845]: 127.0.0.1:36882 
[25/Apr/2019:15:32:59.243] genlisten_10320-cust1.tls~ 
genlisten_10320-cust1.tls/socket-10310-h2 3/0/3 184 -- 1/1/0/0/0 0/0
Apr 25 15:32:59 localhost haproxy[2841]: 127.0.0.1:36882 
[25/Apr/2019:15:32:59.228] genlisten_10320-cust1.tls-tcp 
genlisten_10320-cust1.tls-tcp/socket-10320-ecc 16/0/19 990 CD 1/1/0/0/0 
0/0


global
        nbproc 8
        # ...

listen genlisten_10320-cust1.tls-tcp
        mode tcp
        bind-process 2
        bind :10320

        log global
        option tcplog

        # ...

        tcp-request inspect-delay 7s
        acl REQ_TLS_HAS_ECC req.ssl_ec_ext eq 1

	tcp-request content accept if { req_ssl_hello_type 1 } # Match Client 
SSL Hello


        use-server socket-10320-rsa if !REQ_TLS_HAS_ECC
        server socket-10320-rsa unix@/run/haproxy-10320-rsa.sock send-proxy-v2

        use-server socket-10320-ecc if REQ_TLS_HAS_ECC
        server socket-10320-ecc unix@/run/haproxy-10320-ecc.sock send-proxy-v2

listen genlisten_10320-cust1.tls
        mode tcp
        log global
        option tcplog
        bind-process 3-8


	bind unix@/run/haproxy-10320-rsa.sock accept-proxy user haproxy group 
root mode 600 ssl crt /etc/haproxy/test-rsa.pem alpn h2,http/1.1 process 
3
	bind unix@/run/haproxy-10320-ecc.sock accept-proxy user haproxy group 
root mode 600 ssl crt /etc/haproxy/test-ecc.pem alpn h2,http/1.1 process 
4-8


        use-server socket-10310-h2 if { ssl_fc_alpn h2 }
        server socket-10310-h2 unix@/run/haproxy-10310-h2.sock send-proxy-v2

        use-server socket-10310 if !{ ssl_fc_alpn h2 }
        server socket-10310 unix@/run/haproxy-10310.sock send-proxy-v2

frontend genfrontend_10310-cust1
        bind :10310

	bind unix@/run/haproxy-10310-h2.sock id 210312 accept-proxy user 
haproxy group root mode 600 proto h2 # TLS uplink H2
	bind unix@/run/haproxy-10310.sock id 210310 accept-proxy user haproxy 
group root mode 600 # TLS uplink


        mode http
        option httplog
        log global

        # ...




So it would be cool if both were possible, H2 as well as H1 via that 
socket, using "alpn h2,http/1.1"


--
Regards,
Christian Ruppert























					Reply via email to