Re: http2-issue with http2 enabled on frontend and on backend

Tue, 26 Feb 2019 02:25:01 -0800 

On Tue, Feb 26, 2019 at 11:19:12AM +0100, Tom wrote:
> Hi list
> 
> I'm using haproxy-1.9.4 and trying to enable http2 in frontend and on one
> backend server (nginx with http2 enabled). I'm always receiving a http/502
> from haproxy. I'm successfully able to directly talk to the backend with
> http2, but not via haproxy.
> 
> The haproxy-log looks like this (curl-request like "curl --http2 -k -L -v
> https://10.10.10.10";)
> Feb 26 11:07:10 localhost haproxy[24088]: srcip=1.1.1.1:37468
> feip=10.10.10.10:443(http-in,http-in~,1) beip=10.10.10.10:37530(server1,0)
> serverip=10.20.20.20:443(webserver1) GET / HTTP/1.1 1/1/0/0/0 0/0 requests=0
> resptime=-1 bytesread=244 status=502 tsc=PH-- sslv=TLSv1.2 ms=998
> 
> 
> My config looks like this:
> global
>       log 127.0.0.1 local1 info
>       chroot /home/haproxy
>       user haproxy
>       group haproxy
>       master-worker
>       debug
>       ssl-server-verify none
>       tune.ssl.default-dh-param 2048
>       ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
>       ssl-default-bind-options no-sslv3 no-tls-tickets
> defaults
>       log global
>       mode http
>       option dontlognull
>       timeout connect 5s
>       timeout client  50s
>       timeout server 60s
> frontend http-in
>       bind 10.10.10.10:443 ssl crt /etc/haproxy/ssl/wildcard.pem crt
> /etc/haproxy/ssl/ alpn h2,http/1.1
>       log-format "srcip=%ci:%cp feip=%fi:%fp(%f,%ft,%fc) beip=%bi:%bp(%b,%bc)
> serverip=%si:%sp(%s) "%r" %ac/%fc/%bc/%sc/%rc %sq/%bq requests=%rt
> resptime=%Tr bytesread=%B status=%ST tsc=%tsc sslv=%sslv ms=%ms"
>       default_backend server1
> 
> 
> backend server1
>       balance roundrobin
>       #http-check expect status 200
>       #option httpchk GET "/test"
>       server webserver1 10.20.20.20:443 ssl verify none alpn h2,http/1.1
> 
> 
> 
> When I enable health-checks on the backend, then the backend comes not up,
> because of "Layer7 invalid response". The backend is a simple nginx with
> http2 enabled. As I mentioned: When I directly talk to the backend with
> http2, then everything is fine. So it has something to do regarding my
> haproxy-config, but I'm not sure whats wrong.
> 
> Any hints for this?

if you want to use http2 on both sides you need to enable htx.
add 'option http-use-htx' in your defaults, or in the frontend and backend where
you want http2 enabled.

Jérôme

Reply via email to