@adrianw wrote:

I am trying to deploy 1.8 to make use of h2. We have a single HAProxy install in front of several PHP web application servers. We have enjoyed HAProxy for the last several years and have upgraded from 1.5-1.7 without issue. I have been trying to get 1.8-rcX working and everything is OK except under h2 the ajax calls on the site a breaking. We use a CSRF tokens which are linked to the session, the problem is under h2 each ajax request gets a different session ID. Removing h2 fixes the problem.If I request the URLS directly under h2 it works, it is only we they are called via AJAX

This probably isn’t a HAProxy issue, but is there any reason that I would be seeing this behavour under h2, and not http/1.1?

haproxy -vv
HA-Proxy version 1.8-rc3-34650d5 2017/11/11
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = x86_64
CC = gcc
CFLAGS = -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.4
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

---

config

global
log 127.0.0.1 local0
maxconn 20000
ssl-server-verify none
user haproxy
group haproxy

# set default parameters to the intermediate configuration
tune.ssl.default-dh-param 2048


# STATS SOCKET
stats socket /var/run/haproxy.stats level admin

# ACCEPT LARGE REQUESTS
tune.bufsize 128000

defaults
log global
mode http
retries 3

maxconn                 20000
timeout connect         15s
timeout client          15s
timeout server          90s
timeout http-request    5s
timeout http-keep-alive 15s

option forwardfor
option httplog
option http-keep-alive
option http-server-close

Redirect all HTTP traffice to HTTPS.

frontend WEB-HTTP-IN
bind :80
option forwardfor

# Redirection Everything else to HTTPS
redirect code 301 scheme https if !{ ssl_fc }

Main HTTS Frontend for our sites.

frontend WEB-HTTPS-IN
option forwardfor

bind 10.0.0.1:443 ssl crt /etc/haproxy/ssl/cert.pem no-sslv3 alpn h2,http/1.1

############# RATE LIMITNG BRUTE FORCE #######################

# Table definition

acl login_request path_beg -i /account/login
tcp-request inspect-delay 10s
acl brute_force        sc1_inc_gpc0 gt 20
stick-table type binary len 20 size 100k expire 300s store gpc0
tcp-request content track-sc1 base32+src if METH_POST login_request
http-request deny if brute_force

############################################################

# Block bad IPs
acl bad_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/bad_ips.lst
http-request deny if bad_ip

# CAPTURE HEADERS FOR LOGGING
capture request header Host len 64
capture request header x-csrf-token len 64

# Send all other traffic that does match anything else to the WEB-FARM
default_backend WEB-FARM

backend WEB-FARM
balance static-rr

server WEB-011 192.168.70.221:80 check maxconn 12

l

Posts: 1

Participants: 1

Read full topic