Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak
On Sun, Apr 26, 2020 at 02:20:50PM +0200, Ionel GARDAIS wrote: > I give a try to other browsers. > Chrome and Brave both fails, even in private browsing. > > Firefox however succeeded in private browsing but failed in classic browsing, > even after clearing all caches. > > I gave a try to FF75.0 in Windows : it fails both in classic and private > browsing. Ionel, you should really take a capture on the server side. I'm seeing two possibilities. One is that the SSO doesn't support load balancing well, and that in H2 you get multiple requests in parallel going to different servers while in H1 they are very sequential. Another possibility is regarding to the header fields syntax as suggested by Jarno, but in 2.1 they're always lower case for both H1 and H2, so that cannot be the only difference. In both cases I encourage you to take a capture between haproxy and the servers to compare between a working client and a failing one. I'm pretty sure you'll spot a difference (missing cookie on a request, two requests going to different servers, etc). You can also post them here but be careful not to leave confidential information in them :-) Cheers, Willy
Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak
I give a try to other browsers. Chrome and Brave both fails, even in private browsing. Firefox however succeeded in private browsing but failed in classic browsing, even after clearing all caches. I gave a try to FF75.0 in Windows : it fails both in classic and private browsing. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Ionel GARDAIS" À: "Jarno Huuskonen" Cc: "haproxy" Envoyé: Dimanche 26 Avril 2020 11:13:46 Objet: Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak Hi Jarno, Thanks for these pointers. I'm running 2.1.4. keycloak does not say anything : no warnings nor errors. I give a try to no option http-use-hex with no luck : same issue. However, mystery gets deeper : it works with Safari 11.1.2 (I know, got an old OS X) but fails with Firefox 75.0. Safari calls in H2 return HTTP 200 or HTTP 302 with --VR or --VN. Firefox calls are still returning HTTP 404 with --VN. I'll try to dump header for both callers. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Jarno Huuskonen" À: "Ionel GARDAIS" , "haproxy" Envoyé: Dimanche 26 Avril 2020 10:43:42 Objet: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak Hi Ionel, On Sat, 2020-04-25 at 11:22 +0200, Ionel GARDAIS wrote: > I tried to enable h2 in our haproxy setup. What's your haproxy version ? > Most proxied servers work well except Keycloak (SSO solution) > > While everything works fine in HTTP/1.1, Keycloak returns a 404 and > haproxy shows a --VN status in h2. Have tested w/out HTX (no option http-use-htx ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-option%20http-use-htx )) ? Does keycloak log anything useful ? > As there are two Keycloak servers working in pair, the backend is > defined as > > backend bck-keycloak > cookie AUTH_SESSION_ID prefix > server keycloak 192.168.8.27:8080 check cookie s1 > server keycloak-bck 192.168.8.28:8080 check cookie s2 > > Are their specific tuning required for h2 to work correctly ? Maybe keycloak is case sensitive on some http headers ? Have you tried comparing http/1.1 and http/2 request headers going to keycloak server ? ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust ) -Jarno -- Jarno Huuskonen -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Re: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak
Hi Jarno, Thanks for these pointers. I'm running 2.1.4. keycloak does not say anything : no warnings nor errors. I give a try to no option http-use-hex with no luck : same issue. However, mystery gets deeper : it works with Safari 11.1.2 (I know, got an old OS X) but fails with Firefox 75.0. Safari calls in H2 return HTTP 200 or HTTP 302 with --VR or --VN. Firefox calls are still returning HTTP 404 with --VN. I'll try to dump header for both callers. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Jarno Huuskonen" À: "Ionel GARDAIS" , "haproxy" Envoyé: Dimanche 26 Avril 2020 10:43:42 Objet: [*EXT*] Re: 404 + VN when enabling h2 in front of keycloak Hi Ionel, On Sat, 2020-04-25 at 11:22 +0200, Ionel GARDAIS wrote: > I tried to enable h2 in our haproxy setup. What's your haproxy version ? > Most proxied servers work well except Keycloak (SSO solution) > > While everything works fine in HTTP/1.1, Keycloak returns a 404 and > haproxy shows a --VN status in h2. Have tested w/out HTX (no option http-use-htx ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-option%20http-use-htx )) ? Does keycloak log anything useful ? > As there are two Keycloak servers working in pair, the backend is > defined as > > backend bck-keycloak > cookie AUTH_SESSION_ID prefix > server keycloak 192.168.8.27:8080 check cookie s1 > server keycloak-bck 192.168.8.28:8080 check cookie s2 > > Are their specific tuning required for h2 to work correctly ? Maybe keycloak is case sensitive on some http headers ? Have you tried comparing http/1.1 and http/2 request headers going to keycloak server ? ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust ) -Jarno -- Jarno Huuskonen -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Re: 404 + VN when enabling h2 in front of keycloak
Hi Ionel, On Sat, 2020-04-25 at 11:22 +0200, Ionel GARDAIS wrote: > I tried to enable h2 in our haproxy setup. What's your haproxy version ? > Most proxied servers work well except Keycloak (SSO solution) > > While everything works fine in HTTP/1.1, Keycloak returns a 404 and > haproxy shows a --VN status in h2. Have tested w/out HTX (no option http-use-htx ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-option%20http-use-htx )) ? Does keycloak log anything useful ? > As there are two Keycloak servers working in pair, the backend is > defined as > > backend bck-keycloak > cookie AUTH_SESSION_ID prefix > server keycloak 192.168.8.27:8080 check cookie s1 > server keycloak-bck 192.168.8.28:8080 check cookie s2 > > Are their specific tuning required for h2 to work correctly ? Maybe keycloak is case sensitive on some http headers ? Have you tried comparing http/1.1 and http/2 request headers going to keycloak server ? ( https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust ) -Jarno -- Jarno Huuskonen
