Re: possible bug in haproxy: backend switching with map file does not work with HTTP/2
Jarno, On 3/30/22 14:57, Jarno Huuskonen wrote: Hello, when testing with HTTP/2 we found a behaviour, we did not expect: we use switching between different backends by use of a map file, e.g.: use_backend %[url,map_beg(/etc/haproxy/pool.map,defaultbackend)] With HTTP/1.1 this works fine in haproxy. But with HTTP/2, it does not work. I think with HTTP/2 %[url] is https://dom.ain/path... and with HTTP/1.1 %[url] is just path (I think this has been discussed on list, but at the moment I can't find a link). I can't find anything within half a minute either, but "Origin Form" is what's used for HTTP/2 URL I believe. Have you tried with %[path,map_beg(/etc/haproxy/pool.map,defaultbackend)] ? This is the correct solution (and in fact it's effectively documented): https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#url With ACLs, using "path" is preferred over using "url", because clients may send a full URL as is normally done with proxies. The only real use is to match "*" which does not match in "path", and for which there is already a predefined ACL. Best regards Tim Düsterhus
Re: possible bug in haproxy: backend switching with map file does not work with HTTP/2
Hi, On Wed, 2022-03-30 at 12:19 +, Ralf Saier wrote: > Hello, > > when testing with HTTP/2 we found a behaviour, we did not expect: > > we use switching between different backends by use of a map file, e.g.: > use_backend %[url,map_beg(/etc/haproxy/pool.map,defaultbackend)] > > With HTTP/1.1 this works fine in haproxy. > But with HTTP/2, it does not work. > I think with HTTP/2 %[url] is https://dom.ain/path... and with HTTP/1.1 %[url] is just path (I think this has been discussed on list, but at the moment I can't find a link). Have you tried with %[path,map_beg(/etc/haproxy/pool.map,defaultbackend)] ? -Jarno > > Here‘s a minimal configuration file to reproduce this: > > > global > log /dev/log local0 warning > > # log /dev/log local0 > # log /dev/log local1 notice > > chroot /var/lib/haproxy > stats socket /run/haproxy/admin.sock mode 660 level admin expose- > fd listeners > stats timeout 30s > user haproxy > group haproxy > daemon > > # Default SSL material locations > ca-base /etc/ssl/certs > crt-base /etc/ssl/private > > # See: > https://ssl-config.mozilla.org/#server=haproxy=2.0.3=intermediate > ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- > AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA- > AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 > ssl-default-bind-ciphersuites > TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 > ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets > > defaults > log global > mode http > option httplog > # option dontlognull > timeout connect 5000 > timeout client 5 > timeout server 5 > > backend defaultbackend > log global > mode http > http-response set-header X-Info "defaultbackend : %s" > > server default_1 127.0.0.1:81 > > backend backend_2 > log global > mode http > http-response set-header X-Info "backend_2 : %s" > > server default_2 127.0.0.1:81 > > > backend backend_3 > log global > mode http > http-response set-header X-Info "backend_3 : %s" > > server default_3 127.0.0.1:81 > > > frontend ssl > log global > mode http > > option httplog > > bind *:443 alpn h2,http/1.1 ssl crt /etc/haproxy/x.pem > > acl is_path_3 path_beg /3 > use_backend backend_3 if is_path_3 > > use_backend %[url,map_beg(/etc/haproxy/pool.map,defaultbackend)] > default_backend defaultbackend > > > > Content of /etc/haproxy/pool.map is: > /2 backend_2 > > > > HAProxy Version: > haproxy -vvv > HAProxy version 2.5.5-1ppa1~focal 2022/03/14 -https://haproxy.org/ > Status: stable branch - will stop receiving fixes around Q1 2023. > Known bugs: http://www.haproxy.org/bugs/bugs-2.5.5.html > Running on: Linux 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC > 2022 x86_64 > Build options : > TARGET = linux-glibc > CPU = generic > CC = cc > CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-d3zlWl/haproxy- > 2.5.5=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate- > time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after- > statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno- > sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field- > initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value > -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference > OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 > USE_SYSTEMD=1 USE_PROMEX=1 > DEBUG = > > Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT > +POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY > +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 - > CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS - > 51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP - > EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_THREADS=64, default=1). > Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 > Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > Built with Lua version : Lua 5.3.3 > Built with the Prometheus exporter as a service > Built with network namespace support. >
possible bug in haproxy: backend switching with map file does not work with HTTP/2
Hello, when testing with HTTP/2 we found a behaviour, we did not expect: we use switching between different backends by use of a map file, e.g.: use_backend %[url,map_beg(/etc/haproxy/pool.map,defaultbackend)] With HTTP/1.1 this works fine in haproxy. But with HTTP/2, it does not work. Here's a minimal configuration file to reproduce this: global log /dev/log local0 warning # log /dev/loglocal0 # log /dev/loglocal1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy=2.0.3=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global modehttp option httplog # option dontlognull timeout connect 5000 timeout client 5 timeout server 5 backend defaultbackend log global modehttp http-response set-header X-Info "defaultbackend : %s" server default_1 127.0.0.1:81 backend backend_2 log global modehttp http-response set-header X-Info "backend_2 : %s" server default_2 127.0.0.1:81 backend backend_3 log global modehttp http-response set-header X-Info "backend_3 : %s" server default_3 127.0.0.1:81 frontend ssl logglobal mode http option httplog bind *:443 alpn h2,http/1.1 ssl crt /etc/haproxy/x.pem acl is_path_3 path_beg /3 use_backend backend_3 if is_path_3 use_backend %[url,map_beg(/etc/haproxy/pool.map,defaultbackend)] default_backend defaultbackend Content of /etc/haproxy/pool.map is: /2 backend_2 HAProxy Version: haproxy -vvv HAProxy version 2.5.5-1ppa1~focal 2022/03/14 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2023. Known bugs: http://www.haproxy.org/bugs/bugs-2.5.5.html Running on: Linux 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-d3zlWl/haproxy-2.5.5=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_SYSTEMD=1 USE_PROMEX=1 DEBUG = Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.3 Built with the Prometheus exporter as a service Built with network namespace support. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Support for malloc_trim() is enabled. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.34 2019-11-21 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 9.4.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable),