Hi. Am 24.10.2018 um 03:02 schrieb Igor Cicimov: > On Wed, Oct 24, 2018 at 9:16 AM James Brown <[email protected]> wrote: >> >> I tested enabling HTTP/2 on the frontend for some of our sites today and >> immediately started getting a flurry of failures. Browsers (at least Chrome) >> showed a lot of SPDY protocol errors and the HAProxy logs had a lot of lines >> ending in >> >> https_domain_redacted/<NOSRV> -1/-1/-1/-1/100 400 187 - - PR-- 49/2/0/0/0 0/0 >> > > Possible reasons: > > 1. You don't have openssl v1.0.2 installed (assuming you use openssl) > on a server(s) > 2. You have changed your config for h2 suport but your server(s) is > still running haproxy 1.7 (i.e. hasn't been restarted after upgrade > and still using the old 1.7 binary instead 1.8)
That's one of the reason why we need to know the exact version. James can you post the output of `haproxy -vv` and some more information about your setup. Regards Aleks >> There were no useful or interesting errors logged to syslog. No sign of any >> resources being exhausted (conntrack seems fine, etc). The times varied but >> Ta was always low (usually around 100ms). I have not been able to reproduce >> this issue in a staging environment, so it may be something "real browsers" >> do that doesn't show up with h2load et al. >> >> Turning off HTTP/2 (setting "alpn http/1.1") completely solves the problem. >> >> The following timeouts are set on all of the affected frontends: >> >> retries 3 >> timeout client 9s >> timeout connect 3s >> timeout http-keep-alive 5m >> tcp-request inspect-delay 4s >> option http-server-close >> >> Additionally, we set maxconn to a very high value (20480). >> >> Backends generally have timeout server set to a largeish value (90-300 >> seconds, depending on the backend). >> >> Anything jump out at anyone? >> -- >> James Brown >> Systems & Network Engineer >> EasyPost >
