Hi.

After some tricky stuff with centos I switched to debian as base image and was 
now able to build haproxy with boringssl.

####
/usr/local/sbin/haproxy -vv
HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter 
-Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered 
-Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value 
-Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 
USE_THREAD=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_TFO=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : BoringSSL
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.22 2016-07-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE
              h2 : mode=HTTP       side=FE
       <default> : mode=HTX        side=FE|BE
       <default> : mode=TCP|HTTP   side=FE|BE

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace
####

Now I want to try to make the request to mail.google.com with this config and 
runtime.

###
cat /tmp/haproxy.cfg
# https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#3
global
  # nodaemon

  log stdout format rfc5424 daemon "${LOGLEVEL}"

  stats socket /tmp/sock1 mode 666 level admin
  stats timeout 1h
  tune.ssl.default-dh-param 2048
  ssl-server-verify none

  nbthread "${NUM_THREADS}"


defaults
  log global

# the format is described at
# https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4

# copied from
# 
https://github.com/haproxytech/haproxy-docker-arm64v8/blob/master/cfg_files/haproxy.cfg
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s
  maxconn 3000

  default-server resolve-prefer ipv4 inter 5s resolvers mydns
  option http-use-htx

resolvers mydns
  nameserver dns1 "${DNS_SRV001}":53
  nameserver dns2 "${DNS_SRV002}":53
  resolve_retries       3
  timeout retry         1s
  hold valid           10s

listen stats
    bind :"${STATS_PORT}"
    mode http
    # Health check monitoring uri.
    monitor-uri /healthz

    # Add your custom health check monitoring failure condition here.
    # monitor fail if <condition>
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth "${STATS_USER}":"${STATS_PASSWORD}"

frontend public_tcp
  bind :"${SERVICE_TCP_PORT}"

  mode http
  option httplog
  log global

  default_backend be_generic_tcp


backend be_generic_tcp
  mode http
  balance source
  timeout check 5s
  option tcp-check

  server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check inter 
5s proto h2 ssl ssl-min-ver TLSv1.3 verify none
###

Test with curl
###
curl -v http://127.0.0.1:8443
* About to connect() to 127.0.0.1 port 8443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8443
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 502 Bad Gateway
< cache-control: no-cache
< content-type: text/html
<
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
* Closing connection 0
###

#### podmain.io instead of docker
podman run --rm -it -e LOGLEVEL=debug -e NUM_THREADS=8 -e DNS_SRV001=1.1.1.1 -e 
DNS_SRV002=8.8.8.8 \
           -e STATS_PORT=7411 -e STATS_USER=test -e STATS_PASSWORD=test -e 
SERVICE_TCP_PORT=8443 \
           -e SERVICE_NAME=google-mail -e SERVICE_DEST_IP=mail.google.com -e 
SERVICE_DEST_PORT=443 \
           -e CONFIG_FILE=/mnt/haproxy.cfg -v /tmp/:/mnt/ -p 8443 --expose 8443 
--net host \
        me2digital/haproxy-19-boringssl

using CONFIG_FILE   :/mnt/haproxy.cfg
<29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - Proxy stats started.
<29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - Proxy public_tcp started.
<29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - Proxy be_generic_tcp 
started.
[WARNING] 022/175045 (1) : be_generic_tcp/google-mail changed its IP from 
172.217.21.229 to 216.58.207.69 by mydns/dns1.
<29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - 
be_generic_tcp/google-mail changed its IP from 172.217.21.229 to 216.58.207.69 
by mydns/dns1.
<30>1 2019-01-23T17:50:50+00:00 doh-001 haproxy 1 - - 127.0.0.1:54178 
[23/Jan/2019:17:50:50.727] public_tcp public_tcp/<NOSRV> -1/-1/-1/-1/0 0 0 - - 
PR-- 1/1/0/0/0 0/0 "<BADREQ>"
<30>1 2019-01-23T17:50:50+00:00 doh-001 haproxy 1 - - 127.0.0.1:54178 
[23/Jan/2019:17:50:50.715] public_tcp be_generic_tcp/google-mail 0/0/13/-1/13 
502 208 - - SH-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
####

I thought that haproxy translates the http/1.1 cal to http/2 call, is this a 
proper assumption?
What's my mistake and thanks for help?

Thanks for help

Regards
Aleks

Am 22.01.2019 um 19:38 schrieb Aleksandar Lazic:
> Hi.
> 
> I have now build haproxy with boringssl and it looks quite good.
> 
> Is it the recommended way to simply make a git clone without any branch or 
> tag?
> Does anyone know how the KeyUpdate can be tested?
> 
> ###
> HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/
> Build options :
>   TARGET  = linux2628
>   CPU     = generic
>   CC      = gcc
>   CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
> -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
> -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
> -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value
> -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
>   OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1
> USE_THREAD=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_TFO=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
> 
> Built with OpenSSL version : BoringSSL
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
> Built with Lua version : Lua 5.3.5
> Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
> IP_FREEBIND
> Built with zlib version : 1.2.11
> Running on zlib version : 1.2.11
> Compression algorithms supported : identity("identity"), deflate("deflate"),
> raw-deflate("deflate"), gzip("gzip")
> Built with PCRE2 version : 10.31 2018-02-12
> PCRE2 library supports JIT : yes
> Encrypted password support via crypt(3): yes
> Built with multi-threading support.
> 
> Available polling systems :
>       epoll : pref=300,  test result OK
>        poll : pref=200,  test result OK
>      select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> Available multiplexer protocols :
> (protocols marked as <default> cannot be specified using 'proto' keyword)
>               h2 : mode=HTX        side=FE|BE
>               h2 : mode=HTTP       side=FE
>        <default> : mode=HTX        side=FE|BE
>        <default> : mode=TCP|HTTP   side=FE|BE
> 
> Available filters :
>       [SPOE] spoe
>       [COMP] compression
>       [CACHE] cache
>       [TRACE] trace
> ###
> 
> I also wanted to run the reg-tests but they fails.
> 
> https://gitlab.com/aleks001/haproxy-19-boringssl/-/jobs/149523589
> 
> -----
> ...
> + cd /usr/src/haproxy
> + VTEST_PROGRAM=/usr/src/VTest/vtest HAPROXY_PROGRAM=/usr/local/sbin/haproxy
> make reg-tests
> ...
> ########################## Starting vtest ##########################
> Testing with haproxy version: 1.9.2
> #    top  TEST ./reg-tests/http-rules/h00002.vtc FAILED (0.856) exit=2
> #    top  TEST ./reg-tests/mailers/k_healthcheckmail.vtc FAILED (7.742) exit=2
> #    top  TEST ./reg-tests/log/b00000.vtc TIMED OUT (kill -9)
> #    top  TEST ./reg-tests/log/b00000.vtc FAILED (10.008) signal=9
> #    top  TEST ./reg-tests/http-messaging/h00002.vtc FAILED (0.745) exit=2
> 4 tests failed, 0 tests skipped, 29 tests passed
> ########################## Gathering results ##########################
> ###### Test case: ./reg-tests/log/b00000.vtc ######
> ## test results in: 
> "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.357fd753"
> ###### Test case: ./reg-tests/mailers/k_healthcheckmail.vtc ######
> ## test results in: 
> "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.477fdc0b"
> ---- c2    7.0 EXPECT resp.http.mailsreceived (11) == "16" failed
> ###### Test case: ./reg-tests/http-messaging/h00002.vtc ######
> ## test results in: 
> "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.7aab2925"
> ---- c1h2  0.0 Wrong frame type HEADERS (1) wanted WINDOW_UPDATE
> ###### Test case: ./reg-tests/http-rules/h00002.vtc ######
> ## test results in: 
> "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.76167f9e"
> ---- s1    0.0 EXPECT req.http.test3maskff (2001:db8:c001:c01a::ffff:10:0) ==
> "2001:db8:c001:c01a:0:ffff:10:0" failed
> make: *** [Makefile:1102: reg-tests] Error 1
> -----
> ###
> 
> Have anyone tried to run the tests in a containerized environment?
> 
> Regards
> Aleks
> 


Reply via email to