Am 24.10.2018 um 09:18 schrieb Igor Cicimov: > > > On Wed, 24 Oct 2018 5:06 pm Aleksandar Lazic <[email protected] > <mailto:[email protected]>> wrote: > > Hi. > > Am 24.10.2018 um 03:02 schrieb Igor Cicimov: > > On Wed, Oct 24, 2018 at 9:16 AM James Brown <[email protected] > <mailto:[email protected]>> wrote: > >> > >> I tested enabling HTTP/2 on the frontend for some of our sites today > and > immediately started getting a flurry of failures. Browsers (at least > Chrome) > showed a lot of SPDY protocol errors and the HAProxy logs had a lot of > lines > ending in > >> > >> https_domain_redacted/<NOSRV> -1/-1/-1/-1/100 400 187 - - PR-- > 49/2/0/0/0 0/0 > >> > > > > Possible reasons: > > > > 1. You don't have openssl v1.0.2 installed (assuming you use openssl) > > on a server(s) > > 2. You have changed your config for h2 suport but your server(s) is > > still running haproxy 1.7 (i.e. hasn't been restarted after upgrade > > and still using the old 1.7 binary instead 1.8) > > That's one of the reason why we need to know the exact version. > > James can you post the output of `haproxy -vv` and some more information > about > your setup. > > > This can return the correct version but it still does not mean the runnig > process is actually using it (has not been restarted after upgrade).
Full Ack. That's the reason why we need some more information's about the setup ;-) > Regards > Aleks > > >> There were no useful or interesting errors logged to syslog. No sign of > any resources being exhausted (conntrack seems fine, etc). The times > varied > but Ta was always low (usually around 100ms). I have not been able to > reproduce this issue in a staging environment, so it may be something > "real > browsers" do that doesn't show up with h2load et al. > >> > >> Turning off HTTP/2 (setting "alpn http/1.1") completely solves the > problem. > >> > >> The following timeouts are set on all of the affected frontends: > >> > >> retries 3 > >> timeout client 9s > >> timeout connect 3s > >> timeout http-keep-alive 5m > >> tcp-request inspect-delay 4s > >> option http-server-close > >> > >> Additionally, we set maxconn to a very high value (20480). > >> > >> Backends generally have timeout server set to a largeish value (90-300 > seconds, depending on the backend). > >> > >> Anything jump out at anyone? > >> -- > >> James Brown > >> Systems & Network Engineer > >> EasyPost > > >
