> Could you please just remove this option (or replace it with 
> http-server-close if you absolutely want to disable keepalive for any reason) 
> ?

I can’t remember why I disabled keep-alive, however – removing it completely 
did the trick.
So basically “option httpclose” and h2 won’t work.

Using “http-server-close” on the backend does work as well – so it seems like 
something between 1.8.1 and 1.8.2 caused “option httpclose” to stop working 
when also using http2.

> Just to be sure, you mean the response to the request will be 55 kB, not the 
> request's payload ? I'm asking because I think I saw a GET in your trace.

You’re correct, the response to the request will be 55 kB

So it means I have a working haproxy 1.8.2 with http2 now! Thank you once again!

I was hoping that version 1.8.2 would also have resolved 
https://www.mail-archive.com/haproxy@formilux.org/msg28333.html - however, 
doesn’t seem to be the case – I’ll see if I can find the cause for that one

Best Regards,
Lucas Rolff

On 27/12/2017, 20.15, "Willy Tarreau" <w...@1wt.eu> wrote:

    On Wed, Dec 27, 2017 at 06:52:21PM +0000, Lucas Rolff wrote:
    > - you said that using multiple certs breaks, but did you get a working 
state in any way ?
    > 
    > Actually regarding the multiple certs breaking - I was wrong.
    > 
    > So, if I use release 1.8.1 (downloaded from haproxy.org and compiling from
    > source) then my bind works perfectly.
    
    OK so it's a regression from 1.8.1 to 1.8.2.
    
    > If I use release 1.8.2 with same compile options, and I use the same 
bind, or
    > a bind even with a single certificate (  bind *:443 ssl crt
    > /etc/haproxy/certs/wildcard_domain.com.pem alpn h2,http/1.1 ) I still end 
up
    > with the same error from curl:
    > 
    > curl: (16) Error in the HTTP2 framing layer
    > 
    > So it's as long as I pass alpn h2,http/1.1 in my bind "flag" that it 
breaks.
    
    I couldn't face this one yet, and I've used curl quite a lot during all
    my recent tests (in addition to nghttp, h2c and h2load).
    
    > >  if you run haproxy with -d (debug mode), do you see something like 
this :
    > 
    > Yes, I see the ALPN=h2:
    > 
    > 00000000:https_frontend.accept(0006)=0010 from [80.61.160.xxx:52922] 
ALPN=h2
    > 00000000:https_frontend.clireq[0010:ffffffff]: GET / HTTP/1.1
    > 00000000:https_frontend.clihdr[0010:ffffffff]: user-agent: curl/7.54.1
    > 00000000:https_frontend.clihdr[0010:ffffffff]: accept: */*
    > 00000000:https_frontend.clihdr[0010:ffffffff]: host: dashboard.domain.com
    > 00000000:cdn-backend.srvcls[0010:adfd]
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    That's interesting : the connection to the server was closed. It was
    a nightmare to fix the abortonclose case, and I'm seeing you have
    option httpclose in your config, that (almost) nobody uses anymore
    since it was the "passive close" mode. I didn't test this one, I
    only tested "http-server-close", "http-keep-alive" and "forceclose".
    Maybe I broke it. Could you please just remove this option (or replace
    it with http-server-close if you absolutely want to disable keepalive
    for any reason) ?
    
    > > are you sure you didn't limit your buffer size to less than 16kB ?
    > 
    > Config between my compiled 1.8.1 and 1.8.2 didn't change at all, and I'm 
also
    > not touching buffers within the haproxy config, the only defaults I really
    > set is connect, client and server timeouts -
    
    OK. Anyway whenever you want to check the default settings, you can find
    them in "haproxy -vv". Eg here with my "small memory" setup :
    
      Default settings :
        maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200
    
    This one definitely will not work with HTTP/2.
    
    > the rest pretty much stays the
    > same:
    > 
    > https://gist.github.com/lucasRolff/12b2036baa47400d6c3437a67d9f5fd1 -
    
    > I try to avoid touching things the instance does next to no traffic so
    > defaults *should* be fine. So unless buffers change between 1.8.1 an 1.8.2
    > then no changes has been done.
    
    That's also what makes me think about httpclose :-/
    
    > The specific request will have a content-length of 55 kilobytes.
    
    Just to be sure, you mean the response to the request will be 55 kB, not
    the request's payload ? I'm asking because I think I saw a GET in your
    trace.
    
    > > how did you manage to get curl to emit this amount of useful debugging
    > > information ? I never got that even after reading all options, I'm 
jealous!
    > 
    > Use -vvv option in curl
    
    I didn't know it had any effect to add more "-v" :-)
    
    > or even better, on http2 enabled sites, you can use
    > nghttp -v http://url/ it will give you extensive information regarding 
your
    > http2 traffic - since it will be aware of your streams, priorities etc 
etc.
    
    Yes, I use it a lot, it's very useful. For raw h2 frames, h2c in wiretap
    mode is convenient as well (and completes well with nghttp).
    
    Thanks!
    Willy
    

Reply via email to