Welcome! Log In Create A New Profile

Advanced

Force response to send HTTP/2 GOAWAY?

Posted by Joseph Sible 
Joseph Sible
Force response to send HTTP/2 GOAWAY?
September 02, 2018 03:50AM
When using HTTP/2, is there a way to force haproxy to send a GOAWAY
frame after a given response? I expected that "option forceclose"
might do this, but I tested it and it doesn't seem to. My use-case for
this is having a way to force re-establishment of the TLS connection,
which I can currently do with "option forceclose" if I limit myself to
HTTP/1.1. If there's currently not a way to do this, would a patch
that makes it work be accepted?

Joseph C. Sible
Lukas Tribus
Re: Force response to send HTTP/2 GOAWAY?
September 02, 2018 11:40AM
Hello Joseph,


On Sun, 2 Sep 2018 at 03:42, Joseph Sible <[email protected]> wrote:
>
> When using HTTP/2, is there a way to force haproxy to send a GOAWAY
> frame after a given response? I expected that "option forceclose"
> might do this, but I tested it and it doesn't seem to. My use-case for
> this is having a way to force re-establishment of the TLS connection,

I think this should be done with a 421 Misdirect instead of a GOAWAY:
https://tools.ietf.org/html/rfc7540#section-9.1.2

The 421 is there to make sure the browser sends the same request again
on a different connection. GOAWAY is different in that regard and
depending on what the last frame id in the GOAWAY header is, a browser
may or may not retry the request.

You might be able to do with a dedicated backend and a 503 errorfile.

backend generate_421
errorfile 503 /etc/haproxy/421misdirect.http

With appropriate content in /etc/haproxy/421misdirect.http


Would you mind elaborating why you want to close the TLS connection,
for a better understanding of the use-case?



Regards,
Lukas
Joseph C. Sible
Re: Force response to send HTTP/2 GOAWAY?
September 02, 2018 10:10PM
On Sun, Sep 2, 2018 at 5:29 AM Lukas Tribus <[email protected]> wrote:
> You might be able to do with a dedicated backend and a 503 errorfile.
>
> backend generate_421
> errorfile 503 /etc/haproxy/421misdirect.http
>
> With appropriate content in /etc/haproxy/421misdirect.http

I'll give this a try and see if browsers respond the way I need them to.

> Would you mind elaborating why you want to close the TLS connection,
> for a better understanding of the use-case?

My use-case is for TLS client certificate authentication. In my
configuration, client certificates are optional for the site as a
whole, but required to perform certain actions on it. If a user visits
the site without the client certificate, inserts their smart card, and
then tries to perform an action that requires a certificate, the
browser will reuse the TLS connection without it, so the action will
fail. I need the browser to establish a new TLS connection so that it
will use the client certificate that is now present.

Joseph C. Sible
Sorry, only registered users may post in this forum.

Click here to login