On Tue, Feb 26, 2019 at 11:19:12AM +0100, Tom wrote: > Hi list > > I'm using haproxy-1.9.4 and trying to enable http2 in frontend and on one > backend server (nginx with http2 enabled). I'm always receiving a http/502 > from haproxy. I'm successfully able to directly talk to the backend with > http2, but not via haproxy. > > The haproxy-log looks like this (curl-request like "curl --http2 -k -L -v > https://10.10.10.10") > Feb 26 11:07:10 localhost haproxy[24088]: srcip=1.1.1.1:37468 > feip=10.10.10.10:443(http-in,http-in~,1) beip=10.10.10.10:37530(server1,0) > serverip=10.20.20.20:443(webserver1) GET / HTTP/1.1 1/1/0/0/0 0/0 requests=0 > resptime=-1 bytesread=244 status=502 tsc=PH-- sslv=TLSv1.2 ms=998 > > > My config looks like this: > global > log 127.0.0.1 local1 info > chroot /home/haproxy > user haproxy > group haproxy > master-worker > debug > ssl-server-verify none > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH > ssl-default-bind-options no-sslv3 no-tls-tickets > defaults > log global > mode http > option dontlognull > timeout connect 5s > timeout client 50s > timeout server 60s > frontend http-in > bind 10.10.10.10:443 ssl crt /etc/haproxy/ssl/wildcard.pem crt > /etc/haproxy/ssl/ alpn h2,http/1.1 > log-format "srcip=%ci:%cp feip=%fi:%fp(%f,%ft,%fc) beip=%bi:%bp(%b,%bc) > serverip=%si:%sp(%s) "%r" %ac/%fc/%bc/%sc/%rc %sq/%bq requests=%rt > resptime=%Tr bytesread=%B status=%ST tsc=%tsc sslv=%sslv ms=%ms" > default_backend server1 > > > backend server1 > balance roundrobin > #http-check expect status 200 > #option httpchk GET "/test" > server webserver1 10.20.20.20:443 ssl verify none alpn h2,http/1.1 > > > > When I enable health-checks on the backend, then the backend comes not up, > because of "Layer7 invalid response". The backend is a simple nginx with > http2 enabled. As I mentioned: When I directly talk to the backend with > http2, then everything is fine. So it has something to do regarding my > haproxy-config, but I'm not sure whats wrong. > > Any hints for this?
if you want to use http2 on both sides you need to enable htx. add 'option http-use-htx' in your defaults, or in the frontend and backend where you want http2 enabled. Jérôme