Re: [*EXT*] Re: host-based be routing with H2
Hi Tim, Noted for SNI and routing. User were not able to reproduce the issue when I've re-enable H2. I've kept the header capture active if I'm ever notified of an issue again. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager - Mail original - De: "Tim Düsterhus" À: "Ionel GARDAIS" , "haproxy" Envoyé: Mardi 5 Octobre 2021 21:23:58 Objet: [*EXT*] Re: host-based be routing with H2 Ionel, On 10/5/21 3:56 PM, Ionel GARDAIS wrote: > Currently, backend selection is made with > use_backend %[req.hdr(host),lower] > > Would > use_backend %[ssl_fc_sni,lower] # Layer 5 > or > use_backend %[req.ssl_sni,lower] # Layer 6 > help with H2 ? > That would be a big fat NO. SNI is ***never*** the correct solution to perform routing. In fact it will make the situation even worse for you. - req.hdr(host) is the correct solution and I am surprised that it does not work for you. Consider adding 'capture request header Host len 50' to your frontend and then share the log lines for affected requests. With the httplog format they should then indicate both the host as seen by HAProxy as well as the backed/server selected. Best regards Tim Düsterhus -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Re: host-based be routing with H2
Jarno, On 10/5/21 5:19 PM, Jarno Huuskonen wrote: Have you looked at this thread: https://www.mail-archive.com/haproxy@formilux.org/msg40652.html your issue sounds similar. Is one backend the default_backend (where HTTP/2 requests go) ? Does it work with something like: use_backend %[req.hdr(host),lower,regsub(:\d+$,,)] or use_backend %[req.hdr(host),lower,word(1,:)] That issue with the port being part of the host header for Firefox Websockets should already be fixed in HAProxy 2.4.4. Best regards Tim Düsterhus
Re: host-based be routing with H2
Ionel, On 10/5/21 3:56 PM, Ionel GARDAIS wrote: Currently, backend selection is made with use_backend %[req.hdr(host),lower] Would use_backend %[ssl_fc_sni,lower] # Layer 5 or use_backend %[req.ssl_sni,lower] # Layer 6 help with H2 ? That would be a big fat NO. SNI is ***never*** the correct solution to perform routing. In fact it will make the situation even worse for you. - req.hdr(host) is the correct solution and I am surprised that it does not work for you. Consider adding 'capture request header Host len 50' to your frontend and then share the log lines for affected requests. With the httplog format they should then indicate both the host as seen by HAProxy as well as the backed/server selected. Best regards Tim Düsterhus
Re: host-based be routing with H2
Hi, On Tue, 2021-10-05 at 15:56 +0200, Ionel GARDAIS wrote: > Hi, > > I'm having trouble with backend-routing based on host header when H2 is > enabled. > Frontend is https only and all backends are HTTP1. > We're using v2.4.4. > > When the user browser is directed to app2.example.com, it switches to > app1.example.com. > There is one public IP address, certificate is wildcard for the domain, so > app1 and app2 share the same IP and certificate. > When H2 is disabled, all is working fine. > > Currently, backend selection is made with > use_backend %[req.hdr(host),lower] > Have you looked at this thread: https://www.mail-archive.com/haproxy@formilux.org/msg40652.html your issue sounds similar. Is one backend the default_backend (where HTTP/2 requests go) ? Does it work with something like: use_backend %[req.hdr(host),lower,regsub(:\d+$,,)] or use_backend %[req.hdr(host),lower,word(1,:)] (https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/) or using maps: https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/ (use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/maps/hosts.map,be_default)]) -Jarno > Would > use_backend %[ssl_fc_sni,lower] # Layer 5 > or > use_backend %[req.ssl_sni,lower] # Layer 6 > help with H2 ? > > Thanks, > Ionel > > -- Jarno Huuskonen
host-based be routing with H2
Hi, I'm having trouble with backend-routing based on host header when H2 is enabled. Frontend is https only and all backends are HTTP1. We're using v2.4.4. When the user browser is directed to app2.example.com, it switches to app1.example.com. There is one public IP address, certificate is wildcard for the domain, so app1 and app2 share the same IP and certificate. When H2 is disabled, all is working fine. Currently, backend selection is made with use_backend %[req.hdr(host),lower] Would use_backend %[ssl_fc_sni,lower] # Layer 5 or use_backend %[req.ssl_sni,lower] # Layer 6 help with H2 ? Thanks, Ionel -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
