h2 bad requests

Thu, 28 Dec 2017 13:34:21 -0800 

Hi,
I'm playing around with http2 on haproxy 1.8.2 but when I enable it I get HTTP 400's on some requests. When sending a show errors to the admin socket I get no errors at all. Disabling http2 makes the rror go away. 

The logfile shows:


Dec 28 22:09:02 hostname haproxy[23043]: x.x.x.x:58219 
[28/Dec/2017:22:09:02.066] web~ nginx/nginx 0/0/2/-1/10 400 188 - - CH-- 
4/2/0/0/0 0/0 {something.nl|Mo
zilla/5.0 
(Mac|1695|https://something.nl/some/path/?_lala=option&_another=option} 
{} "POST /some/path/?_task=doit&_action=dothisaction HTTP/1.1"


I'm looking for a way to troubleshoot this. My config looks like:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        ssl-default-bind-options no-sslv3 no-tls-tickets

        ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

  ssl-default-server-options no-sslv3 no-tls-tickets

        ssl-default-server-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

        ssl-server-verify none
        tune.ssl.default-dh-param 4096


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


frontend web
        bind x.x.x.x:80

        bind x.x.x.x:443 ssl crt /etc/haproxy/SSL/ strict-sni alpn 
h2,http/1.1

        bind xxxx:xxx:xxxx:xxx::1:80

        bind xxxx:xxx:xxxx:xxx::1:443 ssl crt /etc/haproxy/SSL/ 
strict-sni alpn h2,http/1.1


        mode http
        maxconn 4096

        option httplog
        option splice-auto

        capture request header Host             len 64
        capture request header User-Agent       len 16
        capture request header Content-Length   len 10
        capture request header Referer          len 256
        capture response header Content-Length  len 10

        acl in_badstuff url_reg -i -f /etc/haproxy/filters/badstuff.reg

        acl in_badstuff url_sub -i -f 
/etc/haproxy/filters/phpmyadmin.txt
        acl in_badstuff hdr_sub(referer) -i -f 
/etc/haproxy/filters/referrer.txt

        acl is_host_falco hdr_sub(Host) -i somehost.nl


        use_backend badstuff if in_badstuff
        use_backend nginx-plain if !{ ssl_fc }
        use_backend nginx

backend nginx
        fullconn 128
        mode http

        option abortonclose
        option http-keep-alive

        server nginx 127.0.0.1:443 ssl cookie nginx send-proxy

backend nginx-plain
        fullconn 128
        mode http

        option abortonclose
        option http-keep-alive

        server nginxplain 127.0.0.1:80 cookie nginx-plain send-proxy

backend badstuff
  mode http
  errorfile 503 /etc/haproxy/errors/503.http

Greets,

Sander



Attachment:
0x2E78FBE8.asc

Description: application/pgp-keys



Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to