Re: SPDY fails
I don't see why it would fail, you could share a tcpdump capture of the TLS handshake? https://www.cloudshark.org/captures/c237da70245a 194.19.225.226 - client ip (latest Chrome) 213.175.75.10 - backend ip (spdy on port 88) 213.175.75.238 - haproxy rr
RE: SPDY fails
Hi, I don't see why it would fail, you could share a tcpdump capture of the TLS handshake? https://www.cloudshark.org/captures/c237da70245a 194.19.225.226 - client ip (latest Chrome) 213.175.75.10 - backend ip (spdy on port 88) 213.175.75.238 - haproxy Looks ok as well (but the actual NPN selection is encrypted). Could you try: - just announcing spdy/3.1 via NPN, removing http/1.1 - escaping the dot in the acl { ssl_fc_npn -i spdy/3\.1 } - just announcing spdy/3 via NPN and selecting it in the ACL, removing spdy/3.1 and http/1.1 Regards, Lukas
Re: SPDY fails
Looks ok as well (but the actual NPN selection is encrypted). Could you try: - just announcing spdy/3.1 via NPN, removing http/1.1 Really confused now - I could swear I tried this one out before and it wasn't working. Now when I removed the http/1.1 the ssl_fc_npn contains spdy/3.1 and everything is ok. Thx for your time. rr
Re: SPDY fails
Hi Reinis, Hello, I'm trying to implement the haproxy nginx spdy / ssl offloading setup, but somehow it is not working for me. For simplicity I used https://gist.github.com/igrigorik/8960971 haproxy config, but while testing with Chrome and FF the spdy is never enabled nor the spdy backend is chosen. After adding: log-format [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_npn]} The haproxy logs show: Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.326] secure~ http_cluster/srv01 0/0/335 240 1/1/0/1/0 0/0 {TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1} Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.661] secure~ http_cluster/srv01 0/0/272 240 1/1/0/1/0 0/0 {TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1} So I imagine the if { ssl_fc_npn -i spdy/3.1 } won't match since ssl_fc_npn contains only http/1.1. I thought so whatever I can just force the spdy_cluster as default backend but it breaks down completely eg Chrome complains Error code: ERR_EMPTY_RESPONSE The odd thing is that while testing for example with http://spdycheck.org it shows all green and that everything is correct - SSL/TLS Detected/Success! SPDY is Enabled! ( spdy/3.1 / http/1.1) just not on the actual browsers. So I'm confused where to look further (eg is the problem on haproxy or nginx (though it serves spdy (over ssl) on its own just fine) or on the client/browser side)? One thing we need to configure in future (with OpenSSL 1.0.2) is ALPN, but since you are using 1.0.1, this is not relevant. I don't see why it would fail, you could share a tcpdump capture of the TLS handshake? Regards, Lukas
SPDY fails
Hello, I'm trying to implement the haproxy nginx spdy / ssl offloading setup, but somehow it is not working for me. For simplicity I used https://gist.github.com/igrigorik/8960971 haproxy config, but while testing with Chrome and FF the spdy is never enabled nor the spdy backend is chosen. After adding: log-format [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_npn]} The haproxy logs show: Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.326] secure~ http_cluster/srv01 0/0/335 240 1/1/0/1/0 0/0 {TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1} Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.661] secure~ http_cluster/srv01 0/0/272 240 1/1/0/1/0 0/0 {TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1} So I imagine the if { ssl_fc_npn -i spdy/3.1 } won't match since ssl_fc_npn contains only http/1.1. I thought so whatever I can just force the spdy_cluster as default backend but it breaks down completely eg Chrome complains Error code: ERR_EMPTY_RESPONSE The odd thing is that while testing for example with http://spdycheck.org it shows all green and that everything is correct - SSL/TLS Detected/Success! SPDY is Enabled! ( spdy/3.1 / http/1.1) just not on the actual browsers. So I'm confused where to look further (eg is the problem on haproxy or nginx (though it serves spdy (over ssl) on its own just fine) or on the client/browser side)? --- My versions: ./haproxy -vv HA-Proxy version 1.6-dev0-09448f7 2014/07/16 Copyright 2000-2014 Willy Tarreau w...@1wt.eu Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 1.0.1h 5 Jun 2014 Running on OpenSSL version : OpenSSL 1.0.1h 5 Jun 2014 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.33 2013-05-28 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND ./nginx -V nginx version: nginx/1.7.3 built by gcc 4.7.1 20120723 [gcc-4_7-branch revision 189773] (SUSE Linux) TLS SNI support enabled configure arguments: --prefix=/data/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module --with-http_spdy_module