Hi Willy. Am 23.01.2019 um 19:50 schrieb Willy Tarreau: > Hi Aleks, > > On Wed, Jan 23, 2019 at 06:58:25PM +0100, Aleksandar Lazic wrote: >> backend be_generic_tcp >> mode http >> balance source >> timeout check 5s >> option tcp-check >> >> server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check >> inter 5s proto h2 ssl ssl-min-ver TLSv1.3 verify none > > You need to replace "proto h2" with "alpn h2", so that the application > protocol is announced to the other host, otherwise it will stick to the > default, very likely "http/1.1", while haproxy talks h2 there. This can > explain the 502 when the other side rejected your request.
I have changed it but still no lock. Should it be possible to have fe with h1 and be server h2(alpn h2), as I expect this or similar return value when I go thru haproxy? I haven't seen any log option to get the backend request method, I think this should be a feature request ;-). #### curl -vo /dev/null https://mail.google.com:443 * Trying 172.217.21.229... * Connected to mail.google.com (172.217.21.229) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=mail.google.com,O=Google LLC,L=Mountain View,ST=California,C=US * start date: Dec 19 08:16:00 2018 GMT * expire date: Mar 13 08:16:00 2019 GMT * common name: mail.google.com * issuer: CN=Google Internet Authority G3,O=Google Trust Services,C=US > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: mail.google.com > Accept: */* > < HTTP/1.1 301 Moved Permanently < Location: /mail/ < Expires: Wed, 23 Jan 2019 20:01:34 GMT < Date: Wed, 23 Jan 2019 20:01:34 GMT < Cache-Control: private, max-age=7776000 < Content-Type: text/html; charset=UTF-8 < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < Server: GSE < Alt-Svc: clear < Accept-Ranges: none < Vary: Accept-Encoding < Transfer-Encoding: chunked < { [data not shown] * Connection #0 to host mail.google.com left intact #### Config is now this. ### cat /tmp/haproxy.cfg # https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#3 global # nodaemon log stdout format rfc5424 daemon "${LOGLEVEL}" stats socket /tmp/sock1 mode 666 level admin stats timeout 1h tune.ssl.default-dh-param 2048 ssl-server-verify none nbthread "${NUM_THREADS}" defaults log global # the format is described at # https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4 # copied from # https://github.com/haproxytech/haproxy-docker-arm64v8/blob/master/cfg_files/haproxy.cfg retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 default-server resolve-prefer ipv4 inter 5s resolvers mydns option http-use-htx option httplog log-format ">>> %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %rt %sslv %sslc" resolvers mydns nameserver dns1 "${DNS_SRV001}":53 nameserver dns2 "${DNS_SRV002}":53 resolve_retries 3 timeout retry 1s hold valid 10s listen stats bind :"${STATS_PORT}" mode http # Health check monitoring uri. monitor-uri /healthz # Add your custom health check monitoring failure condition here. # monitor fail if <condition> stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth "${STATS_USER}":"${STATS_PASSWORD}" frontend public_tcp bind :"${SERVICE_TCP_PORT}" alpn h2,http/1.1 mode http log global default_backend be_generic_tcp backend be_generic_tcp mode http balance source timeout check 5s option tcp-check server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check inter 5s alpn h2 ssl ssl-min-ver TLSv1.3 verify none ### Log of haproxy #### <29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - Proxy stats started. <29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - Proxy public_tcp started. <29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - Proxy be_generic_tcp started. [WARNING] 022/200030 (1) : be_generic_tcp/google-mail changed its IP from 172.217.21.229 to 172.217.18.165 by mydns/dns1. <29>1 2019-01-23T20:00:30+00:00 doh-001 haproxy 1 - - be_generic_tcp/google-mail changed its IP from 172.217.21.229 to 172.217.18.165 by mydns/dns1. 00000000:public_tcp.accept(0006)=000c from [127.0.0.1:54308] ALPN=<none> 00000000:public_tcp.clireq[000c:ffffffff]: GET / HTTP/1.1 00000000:public_tcp.clihdr[000c:ffffffff]: user-agent: curl/7.29.0 00000000:public_tcp.clihdr[000c:ffffffff]: host: 127.0.0.1:8443 00000000:public_tcp.clihdr[000c:ffffffff]: accept: */* 00000000:be_generic_tcp.srvcls[000c:0021] 00000000:be_generic_tcp.clicls[000c:0021] 00000000:be_generic_tcp.closed[000c:0021] <30>1 2019-01-23T20:00:34+00:00 doh-001 haproxy 1 - - >>> 127.0.0.1:54308 [23/Jan/2019:20:00:34.439] public_tcp be_generic_tcp/google-mail 0/0/13/-1/13 -1 145 - - SD-- 1/1/0/0/0 0/0 "GET / HTTP/1.1" 0 - - [WARNING] 022/200040 (1) : be_generic_tcp/google-mail changed its IP from 172.217.18.165 to 172.217.18.101 by mydns/dns2. <29>1 2019-01-23T20:00:40+00:00 doh-001 haproxy 1 - - be_generic_tcp/google-mail changed its IP from 172.217.18.165 to 172.217.18.101 by mydns/dns2. #### > Willy Regards Aleks