Hi,

I'm trying to convert "legacy" haproxy (haproxy 1.9.0) config that has
mode tcp https listen (bind-process 2 ...) feeding bind-process 1
frontend via abns socket. Something like this:

        listen HTTPS_in
                # missing bind-process etc.
                mode tcp
                tcp-request inspect-delay 3s
                bind 127.0.0.1:8443 ssl crt common.pem alpn h2,http/1.1

        #use-server h2 if { ssl_fc_alpn h2 }
        #use-server h1 unless { ssl_fc_alpn h2 }
                server h1 abns@proc1 send-proxy-v2
                #server h2 abns@proc1h2 send-proxy-v2

        frontend fe
                mode http
                bind abns@proc1 accept-proxy
                bind abns@proc1h2 accept-proxy proto h2
                tcp-request inspect-delay 5s
                tcp-request content track-sc1 src table table1
                
                # sc1_http_req_cnt(table1) gt 4 || 1 are just examples
                tcp-request content reject if { sc1_http_req_cnt(table1) gt 4 }
                http-request deny deny_status 429 if { sc1_http_req_cnt(table1) 
gt 1 }

                default_backend be
        
        backend be
                mode http
                http-request deny deny_status 200 # or some real servers

        backend table1
                stick-table type ipv6 size 100 expire 120s store 
http_req_cnt,http_req_rate(30s)

This doesn't work with alpn h2,http/1.1 (HTTP/2 doesn't work(as expected)).

Changing HTTPS_in to "mode http" kind of works, client gets error 400 (HTTP/2)
or 502 (HTTP/1.1) when (tcp-request content reject) reject's the connection.

mode tcp and use-server with ssl_fc_alpn h2 also seems to work, but can the
client choose not use HTTP/2 with alpn h2 (at least the ssl_fc_alpn
documentation suggests this) ? 

So it seems that some/best alternatives are:
- use "mode http" and use http-request deny instead of tcp-request content 
reject (sends response instead of silently closing connection -> no error 
400/502)
- use nbproc 1 / nbthread > 1 and move HTTPS_in functionality to fe frontend

Are there any more alternatives/tricks on using more than 1 core for
SSL and enabling HTTP/2 ? Are there any gotchas etc. to look out for
when converting nbproc to nbthread config ?

Thanks,
-Jarno
 
-- 
Jarno Huuskonen

Reply via email to