Hi. Am 26.10.2018 um 19:11 schrieb James Brown: > Y'all are quite right: one of the machines inverted the order of restarting > with > the new config and updating the package and was advertising the h2 ALPN with > HAProxy 1.7.11. > > Sorry to take up so much time with a silly question.
No probs. Finally you fixed it. > Cheers! Regards Aleks > On Wed, Oct 24, 2018 at 12:21 AM Aleksandar Lazic <[email protected] > <mailto:[email protected]>> wrote: > > Am 24.10.2018 um 09:18 schrieb Igor Cicimov: > > > > > > On Wed, 24 Oct 2018 5:06 pm Aleksandar Lazic <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hi. > > > > Am 24.10.2018 um 03:02 schrieb Igor Cicimov: > > > On Wed, Oct 24, 2018 at 9:16 AM James Brown <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > >> > > >> I tested enabling HTTP/2 on the frontend for some of our sites > today and > > immediately started getting a flurry of failures. Browsers (at least > Chrome) > > showed a lot of SPDY protocol errors and the HAProxy logs had a lot > of > lines > > ending in > > >> > > >> https_domain_redacted/<NOSRV> -1/-1/-1/-1/100 400 187 - - PR-- > 49/2/0/0/0 0/0 > > >> > > > > > > Possible reasons: > > > > > > 1. You don't have openssl v1.0.2 installed (assuming you use > openssl) > > > on a server(s) > > > 2. You have changed your config for h2 suport but your server(s) > is > > > still running haproxy 1.7 (i.e. hasn't been restarted after > upgrade > > > and still using the old 1.7 binary instead 1.8) > > > > That's one of the reason why we need to know the exact version. > > > > James can you post the output of `haproxy -vv` and some more > information about > > your setup. > > > > > > This can return the correct version but it still does not mean the > runnig > > process is actually using it (has not been restarted after upgrade). > > Full Ack. That's the reason why we need some more information's about the > setup ;-) > > > Regards > > Aleks > > > > >> There were no useful or interesting errors logged to syslog. No > sign of > > any resources being exhausted (conntrack seems fine, etc). The times > varied > > but Ta was always low (usually around 100ms). I have not been able > to > > reproduce this issue in a staging environment, so it may be > something > "real > > browsers" do that doesn't show up with h2load et al. > > >> > > >> Turning off HTTP/2 (setting "alpn http/1.1") completely solves > the > problem. > > >> > > >> The following timeouts are set on all of the affected frontends: > > >> > > >> retries 3 > > >> timeout client 9s > > >> timeout connect 3s > > >> timeout http-keep-alive 5m > > >> tcp-request inspect-delay 4s > > >> option http-server-close > > >> > > >> Additionally, we set maxconn to a very high value (20480). > > >> > > >> Backends generally have timeout server set to a largeish value > (90-300 > > seconds, depending on the backend). > > >> > > >> Anything jump out at anyone? > > >> -- > > >> James Brown > > >> Systems & Network Engineer > > >> EasyPost > > > > > > > > > -- > James Brown > Engineer
