Am 01.10.2021 um 18:09 schrieb Christopher Faulet:
HAProxy 2.4.5 was released on 2021/10/01. It added 69 new commits
after version 2.4.4.
could it be, that this upgrade broke something.
The connection seems to hang.
I use the following configuration, which does not work anymore,
downgrading haproxy to 2.4.4 fixes it:
global
maxconn 2048
hard-stop-after 5s
#user haproxy
#group haproxy
user root
daemon
tune.ssl.default-dh-param 2048
# logging
ulimit-n 65536
log /var/run/log local0 err
# enable socket for ocsp reloading
stats socket /var/run/haproxy.sock mode 600 level admin
stats socket /var/run/haproxy_read.sock mode 666 level user
stats timeout 2m
# Configure chipers to not use, see
https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl-default-bind-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3
no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
no-tls-tickets
defaults
mode http
log global
option httplog
timeout connect 80s
timeout client 80s
timeout server 80s
#timeout check 1s
option forwardfor
option http-server-close
default-server inter 3s fall 2 rise 2 slowstart 60s
compression algo gzip
compression type text/html text/plain text/css
frontend www-http
bind *:80
http-request add-header X-Forwarded-Proto http
default_backend nginx-backend
frontend www-https
mode tcp
option tcplog
bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/
alpn h2,http/1.1
bind :::443 ssl crt /usr/local/etc/haproxy/certs/ alpn
h2,http/1.1
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
use_backend ssh if client_attempts_ssh
use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 }
default_backend nginx-http-backend
backend nginx-backend
server www-1 127.0.0.1:8082 check send-proxy
backend nginx-http2-backend
mode tcp
http-request add-header X-Forwarded-Proto https
server www-1 127.0.0.1:8083 check send-proxy
backend nginx-http-backend
mode tcp
server www-1 127.0.0.1:8082 check send-proxy
backend ssh
mode tcp
option tcplog
log global
source 0.0.0.0 usesrc clientip
server ssh 192.168.200.6:22
timeout server 8h
frontend haproxy-stats
bind 192.168.0.251:9001
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy_stats
stats auth _removed_:_removed_
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
