Re: QUIC with a fcgi backend

Sat, 22 Jul 2023 21:31:37 -0700 

Sending the config file as an attachment.
-yas

On 23/07/2023 07:20, Yaacov Akiba Slama wrote:

On 22/07/2023 23:07, Aleksandar Lazic wrote:

Hi.

On 2023-07-22 (Sa.) 21:48, Yaacov Akiba Slama wrote:

Hi,

It seems that there is a bug in QUIC when using a fastcgi backend:
As soon as the size of the uploaded data is more than bufsize, the server returns 400 Bad request and shows PH-- in the logs.
The problem occurs with both haproxy 2.8.1 and 2.9-dev2 (both build quictls OpenSSL_1_1_1u-quic1). 

When using h2 or an http backend, everything is ok.

Is it a known problem?
Please can you share the config you use to be able to reproduce the issue. I think it's not know but it would be good to be able to reproduce it.
The haproxy configuration is below. I saw the problem with php-fpm but I reproduced it also using a simple go fcgi server (also below). 

In order to see the problem, one can run:
curl  -d @file https://<domain> and curl --http3-only  -d @file https://<domain>
if file is a little smaller than bufsize, there is no error in both cases and the fcgi server answers.
With a bigger file, only the h2 query works. The h3 query returns "400 Bad request" and nothing reach the fcgi server. 

Thanks,

--yas

haproxy.cfg:

------------
global     log /dev/log    local0     log /dev/log    local1 notice     chroot /var/lib/haproxy     stats socket /run/haproxy/admin.sock mode 660 level admin     stats timeout 30s     user haproxy     group haproxy     daemon     # Default SSL material locations     ca-base /etc/ssl/certs     crt-base /etc/ssl/private     # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate         ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384         ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256         ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults     log    global     mode    http  option    httplog     option    dontlognull         timeout connect 5000         timeout client  50000         timeout server 50000     errorfile 400 /etc/haproxy/errors/400.http     errorfile 403 /etc/haproxy/errors/403.http     errorfile 408 /etc/haproxy/errors/408.http     errorfile 500 /etc/haproxy/errors/500.http     errorfile 502 /etc/haproxy/errors/502.http     errorfile 503 /etc/haproxy/errors/503.http     errorfile 504 /etc/haproxy/errors/504.http frontend fe     mode http     #bind :80     bind :443  ssl crt /etc/haproxy/ssl/<cert> alpn h2     .if feature(QUIC)         bind quic4@:443 ssl crt /etc/haproxy/ssl/<cert> alpn h3     .endif     http-request redirect scheme https unless { ssl_fc }     #http-after-response add-header alt-svc 'h3=":443"; ma=60'     default_backend fcgiserver backend fcgiserver     use-fcgi-app test-app     server server1 127.0.0.1:9000 proto fcgi fcgi-app test-app     log-stderr global     docroot /var/www/myapp     index index.php path-info ^(/.+\.php)(/.*)?$ 

----

server.go

-----

package main

import (
        "fmt"
        "net/http"
        "net/http/fcgi"
        "net"
)

type FastCGIServer struct{}
func (s FastCGIServer) ServeHTTP(w http.ResponseWriter, req *http.Request) { 
        w.Write([]byte("This is a FastCGI example server.\n"))
}

func main() {
        fmt.Println("Starting server...")
        l, _ := net.Listen("tcp", "127.0.0.1:9000")
        b := new(FastCGIServer)
        fcgi.Serve(l, b)
}




global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: 
https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend fe
        mode http
        #bind :80
        bind :443  ssl crt /etc/haproxy/ssl/<cert> alpn h2
        .if feature(QUIC)
                bind quic4@:443 ssl crt /etc/haproxy/ssl/<cert> alpn h3
        .endif

        http-request redirect scheme https unless { ssl_fc }

        #http-after-response add-header alt-svc 'h3=":443"; ma=60'

        default_backend fcgiserver

backend fcgiserver
    use-fcgi-app test-app
    server server1 127.0.0.1:9000 proto fcgi

fcgi-app test-app
    log-stderr global
    docroot /var/www/myapp
    index index.php
    path-info ^(/.+\.php)(/.*)?$

Reply via email to