Re: SPDY fails
I don't see why it would fail, you could share a tcpdump capture of the TLS handshake? https://www.cloudshark.org/captures/c237da70245a 194.19.225.226 - client ip (latest Chrome) 213.175.75.10 - backend ip (spdy on port 88) 213.175.75.238 - haproxy rr
RE: SPDY fails
Hi,
I don't see why it would fail, you could share a tcpdump capture of the
TLS handshake?
https://www.cloudshark.org/captures/c237da70245a
194.19.225.226 - client ip (latest Chrome)
213.175.75.10 - backend ip (spdy on port 88)
213.175.75.238 - haproxy
Looks ok as well (but the actual NPN selection is encrypted).
Could you try:
- just announcing spdy/3.1 via NPN, removing http/1.1
- escaping the dot in the acl { ssl_fc_npn -i spdy/3\.1 }
- just announcing spdy/3 via NPN and selecting it in the
ACL, removing spdy/3.1 and http/1.1
Regards,
Lukas
Re: SPDY fails
Looks ok as well (but the actual NPN selection is encrypted). Could you try: - just announcing spdy/3.1 via NPN, removing http/1.1 Really confused now - I could swear I tried this one out before and it wasn't working. Now when I removed the http/1.1 the ssl_fc_npn contains spdy/3.1 and everything is ok. Thx for your time. rr
Re: SPDY fails
Hi Reinis,
Hello,
I'm trying to implement the haproxy nginx spdy / ssl offloading setup, but
somehow it is not working for me.
For simplicity I used https://gist.github.com/igrigorik/8960971 haproxy
config, but while testing with Chrome and FF the spdy is never enabled nor
the spdy backend is chosen.
After adding:
log-format [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %tsc\ %ac/%fc/%bc/%sc/%rc\
%sq/%bq\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_npn]}
The haproxy logs show:
Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.326] secure~
http_cluster/srv01 0/0/335 240 1/1/0/1/0 0/0
{TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1}
Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.661] secure~
http_cluster/srv01 0/0/272 240 1/1/0/1/0 0/0
{TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1}
So I imagine the if { ssl_fc_npn -i spdy/3.1 } won't match since
ssl_fc_npn contains only http/1.1.
I thought so whatever I can just force the spdy_cluster as default backend
but it breaks down completely eg Chrome complains Error code:
ERR_EMPTY_RESPONSE
The odd thing is that while testing for example with http://spdycheck.org it
shows all green and that everything is correct - SSL/TLS Detected/Success!
SPDY is Enabled! ( spdy/3.1 / http/1.1) just not on the actual browsers.
So I'm confused where to look further (eg is the problem on haproxy or nginx
(though it serves spdy (over ssl) on its own just fine) or on the
client/browser side)?
One thing we need to configure in future (with OpenSSL 1.0.2) is ALPN, but
since you are using 1.0.1, this is not relevant.
I don't see why it would fail, you could share a tcpdump capture of the TLS
handshake?
Regards,
Lukas
SPDY fails
Hello,
I'm trying to implement the haproxy nginx spdy / ssl offloading setup, but
somehow it is not working for me.
For simplicity I used https://gist.github.com/igrigorik/8960971 haproxy
config, but while testing with Chrome and FF the spdy is never enabled nor
the spdy backend is chosen.
After adding:
log-format [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %tsc\ %ac/%fc/%bc/%sc/%rc\
%sq/%bq\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_npn]}
The haproxy logs show:
Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.326] secure~
http_cluster/srv01 0/0/335 240 1/1/0/1/0 0/0
{TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1}
Jul 21 11:55:49 proc238 haproxy[13485]: [21/Jul/2014:11:55:49.661] secure~
http_cluster/srv01 0/0/272 240 1/1/0/1/0 0/0
{TLSv1.2/ECDHE-RSA-AES256-SHA/mydomain.com/http/1.1}
So I imagine the if { ssl_fc_npn -i spdy/3.1 } won't match since
ssl_fc_npn contains only http/1.1.
I thought so whatever I can just force the spdy_cluster as default backend
but it breaks down completely eg Chrome complains Error code:
ERR_EMPTY_RESPONSE
The odd thing is that while testing for example with http://spdycheck.org it
shows all green and that everything is correct - SSL/TLS Detected/Success!
SPDY is Enabled! ( spdy/3.1 / http/1.1) just not on the actual browsers.
So I'm confused where to look further (eg is the problem on haproxy or nginx
(though it serves spdy (over ssl) on its own just fine) or on the
client/browser side)?
---
My versions:
./haproxy -vv
HA-Proxy version 1.6-dev0-09448f7 2014/07/16
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1h 5 Jun 2014
Running on OpenSSL version : OpenSSL 1.0.1h 5 Jun 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.33 2013-05-28
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
./nginx -V
nginx version: nginx/1.7.3
built by gcc 4.7.1 20120723 [gcc-4_7-branch revision 189773] (SUSE Linux)
TLS SNI support enabled
configure
arguments: --prefix=/data/nginx --with-http_stub_status_module --without-http-cache
--with-http_ssl_module --with-http_realip_module --with-http_spdy_module
