@jdyke wrote:
When using haproxy 1.8 and before in order to use h2, i simply checked the
ssl_fc_alpnand then sent traffic to the correct server depending on if the client(browser) supported h2. Now with h2 available on the backend in 1.9 and 2.0, i thought i may be able to remove this check and clean up the configuration, but am clearly missing something.– haproxy 1.8 –
frontend https mode tcp bind 0.0.0.0:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 ecdhe secp384r1 timeout http-request 10s #send all HTTP/2 traffic to a specific backend use_backend http2-nodes if { ssl_fc_alpn -i h2 } #send HTTP/1.1 and HTTP/1.0 to default, which don't speak HTTP/2 default_backend http1-nodes backend http1-nodes mode http balance roundrobin default-server inter 1s fall 2 on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions server web01 10.X.X.12:80 check send-proxy server web02 10.X.X.14:80 check send-proxy backend http2-nodes mode tcp balance roundrobin default-server inter 1s fall 2 on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions server web01 10.X.X.12:81 check send-proxy server web02 10.X.X.14:81 check send-proxyNginx is behind these servers and has
http2on port 81 and regular 1.1 on 80In haproxy 1.9 and 2.0 i was thinking i could use one backend for haproxy and drop the 2nd port for Nginx. Something like the following:
frontend https mode http bind 0.0.0.0:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 ecdhe secp384r1 option http-use-htx timeout http-request 10s default_backend http-nodes backend http-nodes mode http option http-use-htx balance roundrobin default-server inter 1s fall 2 on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions server web01 10.X.X.12:80 send-proxy check alpn h2 #check-alpn http/1.1 send-proxy alpn h2,http1.1 server web02 10.X.X.14:80 send-proxy check alpn h2 #check-alpn http/1.1 send-proxy alpn h2,http1.1Then the nginx listen directive is simply
listen 80 http2 proxy_protocolI’ve tried a number of things with the haproxy backends(alpn h2/http1.1 and proto h2) and am mainly running into 502’s from HAProxy and an error message in nginx stating:
recv() failed (104: Connection reset by peer) while processing HTTP/2 connection, client: 10.X.X.11, server: 0.0.0.0:80Ultimately i think my question is simple: Can i use one backend for both h2 and http1.1, or should i still use the port routing based on
ssl_fc_alpn. I’m trying to gain a better understanding of the new h2 backends and howoption http-use-htxworks.One last bit. If i change to
send-proxy check alpn h2tosend-proxy check proto h2, it seems to work well with h2 browsers and even when icurl --http1.1 -nvL -o /dev/null https://www.site.comit states that they request was in 1.1, but the nginx logs show its 2.0.Hopefully this is clear, for older browsers, like IE10, it seems that i’m going to have to use the port redirect, but would love any further clarification.
Thank You,
Jeff
Posts: 1
Participants: 1