On Wed, Dec 27, 2017 at 06:52:21PM +0000, Lucas Rolff wrote:
> - you said that using multiple certs breaks, but did you get a working state
> in any way ?
>
> Actually regarding the multiple certs breaking - I was wrong.
>
> So, if I use release 1.8.1 (downloaded from haproxy.org and compiling from
> source) then my bind works perfectly.
OK so it's a regression from 1.8.1 to 1.8.2.
> If I use release 1.8.2 with same compile options, and I use the same bind, or
> a bind even with a single certificate ( bind *:443 ssl crt
> /etc/haproxy/certs/wildcard_domain.com.pem alpn h2,http/1.1 ) I still end up
> with the same error from curl:
>
> curl: (16) Error in the HTTP2 framing layer
>
> So it's as long as I pass alpn h2,http/1.1 in my bind "flag" that it breaks.
I couldn't face this one yet, and I've used curl quite a lot during all
my recent tests (in addition to nghttp, h2c and h2load).
> > if you run haproxy with -d (debug mode), do you see something like this :
>
> Yes, I see the ALPN=h2:
>
> 00000000:https_frontend.accept(0006)=0010 from [80.61.160.xxx:52922] ALPN=h2
> 00000000:https_frontend.clireq[0010:ffffffff]: GET / HTTP/1.1
> 00000000:https_frontend.clihdr[0010:ffffffff]: user-agent: curl/7.54.1
> 00000000:https_frontend.clihdr[0010:ffffffff]: accept: */*
> 00000000:https_frontend.clihdr[0010:ffffffff]: host: dashboard.domain.com
> 00000000:cdn-backend.srvcls[0010:adfd]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That's interesting : the connection to the server was closed. It was
a nightmare to fix the abortonclose case, and I'm seeing you have
option httpclose in your config, that (almost) nobody uses anymore
since it was the "passive close" mode. I didn't test this one, I
only tested "http-server-close", "http-keep-alive" and "forceclose".
Maybe I broke it. Could you please just remove this option (or replace
it with http-server-close if you absolutely want to disable keepalive
for any reason) ?
> > are you sure you didn't limit your buffer size to less than 16kB ?
>
> Config between my compiled 1.8.1 and 1.8.2 didn't change at all, and I'm also
> not touching buffers within the haproxy config, the only defaults I really
> set is connect, client and server timeouts -
OK. Anyway whenever you want to check the default settings, you can find
them in "haproxy -vv". Eg here with my "small memory" setup :
Default settings :
maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200
This one definitely will not work with HTTP/2.
> the rest pretty much stays the
> same:
>
> https://gist.github.com/lucasRolff/12b2036baa47400d6c3437a67d9f5fd1 -
> I try to avoid touching things the instance does next to no traffic so
> defaults *should* be fine. So unless buffers change between 1.8.1 an 1.8.2
> then no changes has been done.
That's also what makes me think about httpclose :-/
> The specific request will have a content-length of 55 kilobytes.
Just to be sure, you mean the response to the request will be 55 kB, not
the request's payload ? I'm asking because I think I saw a GET in your
trace.
> > how did you manage to get curl to emit this amount of useful debugging
> > information ? I never got that even after reading all options, I'm jealous!
>
> Use -vvv option in curl
I didn't know it had any effect to add more "-v" :-)
> or even better, on http2 enabled sites, you can use
> nghttp -v http://url/ it will give you extensive information regarding your
> http2 traffic - since it will be aware of your streams, priorities etc etc.
Yes, I use it a lot, it's very useful. For raw h2 frames, h2c in wiretap
mode is convenient as well (and completes well with nghttp).
Thanks!
Willy
