Hi Willy.
Am 23.01.2019 um 19:50 schrieb Willy Tarreau:
> Hi Aleks,
>
> On Wed, Jan 23, 2019 at 06:58:25PM +0100, Aleksandar Lazic wrote:
>> backend be_generic_tcp
>> mode http
>> balance source
>> timeout check 5s
>> option tcp-check
>>
>> server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check
>> inter 5s proto h2 ssl ssl-min-ver TLSv1.3 verify none
>
> You need to replace "proto h2" with "alpn h2", so that the application
> protocol is announced to the other host, otherwise it will stick to the
> default, very likely "http/1.1", while haproxy talks h2 there. This can
> explain the 502 when the other side rejected your request.
I have changed it but still no lock.
Should it be possible to have fe with h1 and be server h2(alpn h2), as I expect
this or similar return value when I go thru haproxy?
I haven't seen any log option to get the backend request method, I think this
should be a feature request ;-).
####
curl -vo /dev/null https://mail.google.com:443
* Trying 172.217.21.229...
* Connected to mail.google.com (172.217.21.229) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=mail.google.com,O=Google LLC,L=Mountain
View,ST=California,C=US
* start date: Dec 19 08:16:00 2018 GMT
* expire date: Mar 13 08:16:00 2019 GMT
* common name: mail.google.com
* issuer: CN=Google Internet Authority G3,O=Google Trust Services,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mail.google.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: /mail/
< Expires: Wed, 23 Jan 2019 20:01:34 GMT
< Date: Wed, 23 Jan 2019 20:01:34 GMT
< Cache-Control: private, max-age=7776000
< Content-Type: text/html; charset=UTF-8
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: clear
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
{ [data not shown]
* Connection #0 to host mail.google.com left intact
####
Config is now this.
###
cat /tmp/haproxy.cfg
# https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#3
global
# nodaemon
log stdout format rfc5424 daemon "${LOGLEVEL}"
stats socket /tmp/sock1 mode 666 level admin
stats timeout 1h
tune.ssl.default-dh-param 2048
ssl-server-verify none
nbthread "${NUM_THREADS}"
defaults
log global
# the format is described at
# https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4
# copied from
#
https://github.com/haproxytech/haproxy-docker-arm64v8/blob/master/cfg_files/haproxy.cfg
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
default-server resolve-prefer ipv4 inter 5s resolvers mydns
option http-use-htx
option httplog
log-format ">>> %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS
%tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %rt %sslv %sslc"
resolvers mydns
nameserver dns1 "${DNS_SRV001}":53
nameserver dns2 "${DNS_SRV002}":53
resolve_retries 3
timeout retry 1s
hold valid 10s
listen stats
bind :"${STATS_PORT}"
mode http
# Health check monitoring uri.
monitor-uri /healthz
# Add your custom health check monitoring failure condition here.
# monitor fail if <condition>
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth "${STATS_USER}":"${STATS_PASSWORD}"
frontend public_tcp
bind :"${SERVICE_TCP_PORT}" alpn h2,http/1.1
mode http
log global
default_backend be_generic_tcp
backend be_generic_tcp
mode http
balance source
timeout check 5s
option tcp-check
server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check inter
5s alpn h2 ssl ssl-min-ver TLSv1.3 verify none
###
Log of haproxy
####
<29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - Proxy stats started.
<29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - Proxy public_tcp started.
<29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - Proxy be_generic_tcp
started.
[WARNING] 022/200030 (1) : be_generic_tcp/google-mail changed its IP from
172.217.21.229 to 172.217.18.165 by mydns/dns1.
<29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - -
be_generic_tcp/google-mail changed its IP from 172.217.21.229 to 172.217.18.165
by mydns/dns1.
00000000:public_tcp.accept(0006)=000c from [127.0.0.1:54308] ALPN=<none>
00000000:public_tcp.clireq[000c:ffffffff]: GET / HTTP/1.1
00000000:public_tcp.clihdr[000c:ffffffff]: user-agent: curl/7.29.0
00000000:public_tcp.clihdr[000c:ffffffff]: host: 127.0.0.1:8443
00000000:public_tcp.clihdr[000c:ffffffff]: accept: */*
00000000:be_generic_tcp.srvcls[000c:0021]
00000000:be_generic_tcp.clicls[000c:0021]
00000000:be_generic_tcp.closed[000c:0021]
<30>1 2019-01-23T20:00:34+00:00 doh-001 haproxy 1 - - >>> 127.0.0.1:54308
[23/Jan/2019:20:00:34.439] public_tcp be_generic_tcp/google-mail 0/0/13/-1/13
-1 145 - - SD-- 1/1/0/0/0 0/0 "GET / HTTP/1.1" 0 - -
[WARNING] 022/200040 (1) : be_generic_tcp/google-mail changed its IP from
172.217.18.165 to 172.217.18.101 by mydns/dns2.
<29>1 2019-01-23T20:00:40+00:00 doh-001 haproxy 1 - -
be_generic_tcp/google-mail changed its IP from 172.217.18.165 to 172.217.18.101
by mydns/dns2.
####
> Willy
Regards
Aleks
