Welcome! Log In Create A New Profile

Advanced

issues with ALPN and h2 on frontend

Posted by Matt Jamison 
Matt Jamison
issues with ALPN and h2 on frontend
March 16, 2017 05:10PM
I compiled openssl 1.0.2k, then compiled haproxy 1.7.3 against it but alpn
and h2 just seem to not working right.

[[email protected] ~]# haproxy -vv
HA-Proxy version 1.7.3 2017/02/28
Copyright 2000-2017 Willy Tarreau <[email protected]>

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1 USE_PCRE_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe


When I have alpn and h2 set on the bind line, no requests can get past the
frontend. I disabled all back ends so that at least the 503 error page I
have set would come up but no go.

If I remove h2 , it works just fine with http/1.1.

Syslog shows BADREQ coming in.

I attached my haproxy.cfg.

Am I doing something wrong?

Any help would be super appreciated.


~Matt
Attachments:
open | download - haproxy.cfg (3.8 KB)
Georg Faerber
Re: issues with ALPN and h2 on frontend
March 16, 2017 05:40PM
Hi Matt,

On 17-03-16 12:00:46, Matt Jamison wrote:
> When I have alpn and h2 set on the bind line, no requests can get past
> the frontend. I disabled all back ends so that at least the 503 error
> page I have set would come up but no go.
>
> [...]
>
> Am I doing something wrong?

This currently only works in tcp mode.

Cheers,
Georg
Matt Jamison
Re: issues with ALPN and h2 on frontend
March 16, 2017 09:40PM
So from what I can find, mode http and alpn h2 are not supported together?
alpn h2 is only supported with mode tcp? I get no errors with my config, so
I don't know what is unsupported.

I need mode http so I can insert cookies and do other things not supported
in mode tcp.

If someone could give me a definitive yes or no, i would be most grateful.

If mode http and alpn h2 aren't supported together, do we know if any
release in the near future will support it? I thought it was coming in 1.7
but I can't find any documentation on it.

Thanks!

~Matt

On Thu, Mar 16, 2017 at 12:00 PM, Matt Jamison <[email protected]> wrote:

> I compiled openssl 1.0.2k, then compiled haproxy 1.7.3 against it but alpn
> and h2 just seem to not working right.
>
> [[email protected] ~]# haproxy -vv
> HA-Proxy version 1.7.3 2017/02/28
> Copyright 2000-2017 Willy Tarreau <[email protected]>
>
> Build options :
> TARGET = linux2628
> CPU = generic
> CC = gcc
> CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
> OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1 USE_PCRE_JIT=1
>
> Default settings :
> maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
>
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.7
> Running on zlib version : 1.2.7
> Compression algorithms supported : identity("identity"),
> deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
> Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
> Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.32 2012-11-30
> Running on PCRE version : 8.32 2012-11-30
> PCRE library supports JIT : yes
> Built without Lua support
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
>
> Available polling systems :
> epoll : pref=300, test result OK
> poll : pref=200, test result OK
> select : pref=150, test result OK
> Total: 3 (3 usable), will use epoll.
>
> Available filters :
> [COMP] compression
> [TRACE] trace
> [SPOE] spoe
>
>
> When I have alpn and h2 set on the bind line, no requests can get past the
> frontend. I disabled all back ends so that at least the 503 error page I
> have set would come up but no go.
>
> If I remove h2 , it works just fine with http/1.1.
>
> Syslog shows BADREQ coming in.
>
> I attached my haproxy.cfg.
>
> Am I doing something wrong?
>
> Any help would be super appreciated.
>
>
> ~Matt
>
Lukas Tribus
Re: issues with ALPN and h2 on frontend
March 16, 2017 10:30PM
Hi Matt,


Am 16.03.2017 um 21:29 schrieb Matt Jamison:
> So from what I can find, mode http and alpn h2 are not supported together?

That's not it. HTTP/2 is not supported in any haproxy release, period.

That fact that you can tunnel arbitrary TCP payload through haproxy,
while TLS terminating on the frontend and negotiation an arbitrary
higher protocol in NPN or ALPN doesn't make H2 "supported" in TCP mode.
It means haproxy is flexible enough to tunnel ANY higher-layer protocol
through, including protocols negotiated via npn or alpn. That doesn't
mean haproxy understands the higher layer protocol though.



> alpn h2 is only supported with mode tcp? I get no errors with my
> config, so I don't know what is unsupported.

You can specify ANY string for NPN or ALPN negotiation. You can
negotiation h3 or spdy/0.01 if you feel like it. You are responsible to
understand what happens next though.



>
> I need mode http so I can insert cookies and do other things not
> supported in mode tcp.
>
> If someone could give me a definitive yes or no, i would be most grateful.

Definitely no.

In the 1.7 tarball neither the doc/configuration.txt, nor CHANGELOG
mention HTTP/2, while it still is an item in ROADMAP.



>
> If mode http and alpn h2 aren't supported together, do we know if any
> release in the near future will support it? I thought it was coming in
> 1.7 but I can't find any documentation on it.

Currently H2 frontend support is planned for 1.8 (but it's not there yet).
I'm sure somewhere along the line it was indeed planned for 1.7, so you
are not wrong when you say you read this somewhere, but in the end
things didn't turn out this way.



Regards,

Lukas
Sorry, only registered users may post in this forum.

Click here to login