Thanks for your precious answer, I might have an idea. The default H2 max-frame-size is 16kB (by the spec). It is possible that your server ignores the setting and tries to push a frame size that is larger than the agreed limit, which becomes a protocol violation.
For information, we use IIS10 on windows2016 for the backend server. And Jarno reproduce the same problem with his go http server implementation. Or it is possible as well that the server doesn't know how to send such a large header with this frame size and simply aborts the response. We have dump the exchange beetween haproxy and the backend. The response seems not to be aborted by the backend. We are installing h2c to investigate. Regards, Steve ________________________________ De : Willy Tarreau <[email protected]> Envoyé : jeudi 7 février 2019 17:03 À : Jarno Huuskonen; Steve GIRAUD; [email protected] Objet : Re: HAProxy returns a 502 error when ssl offload and response has a large header Hi, On Thu, Feb 07, 2019 at 04:50:12PM +0200, Jarno Huuskonen wrote: > Hi, > > On Thu, Feb 07, Steve GIRAUD wrote: > > Thanks Jarno for the investigation. > > No problem. > > > The large header is only on response and there is only one large header > > (18k). > > > > haproxy + ssl + http2 + tune.bufsize:32768 --> request fails > > Did you check with curl or chrome if you get the same framing error > that I got (Error in the HTTP2 framing layer / ERR_SPDY_FRAME_SIZE_ERROR))? > > > haproxy + ssl + http1.1 + tune.bufsize:32768 --> request ok > > > > If I request my backend directly in h2 + ssl but without haproxy, the > > request is ok. > > I'm CC:ing Willy, in case this is something that a config option can fix > or possibly a incompatability/bug with http2 implementation. I might have an idea. The default H2 max-frame-size is 16kB (by the spec). It is possible that your server ignores the setting and tries to push a frame size that is larger than the agreed limit, which becomes a protocol violation. Or it is possible as well that the server doesn't know how to send such a large header with this frame size and simply aborts the response. You could install h2c between haproxy and your server, in wiretap mode, it's very convenient to see what is exchanged : h2c_linux_amd64 wiretap 127.0.0.1:5555 127.0.0.1:6666 Then you configure haproxy to communicate to 127.0.0.1:5555 to join the server while your server in fact listens on :6666. Depending on what you see, we may have the possibility to work around it by advertising a larger max-frame-size in the settings frame when the buffers are larger. Regards, Willy
