Configure HAProxy to Bridge H2 or HTTPS/1.1 to HTTPS/1.1


#1

Hi there,

I currently explore the possibilities of HAProxy. This thing can do a lot :slight_smile:

Now I’ve reached a point where I do not know what to do next. I’ve compiled HAProxy from sources with version 1.7-dev6 (See -vv below).

The goal is to accomplish SSL/TLS bridging with some extensions as described here https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html#ssl-tls-bridging-or-re-encryption
The traffic between Client and HAProxy should be H2 or HTTPS/1.1, the traffic between HAProxy and Server can only be HTTPS/1.1 (thank you, legacy application!), and I need to use SNI.

My configuration so far:
frontend frontend_https-sni
bind *:443 ssl crt /etc/haproxy/ssl/
mode http
use_backend %[ssl_fc_sni,lower,map_dom(/etc/haproxy/switch_ssl.map)]
backend backend_ssl_1
mode http
server web0 127.0.0.1:443 ssl verify none check
backend backend_ssl_2
mode http
server web0 127.0.0.2:443 ssl verify none check

This works fine. But as soon as I try to add „alpn h2,http1.1“ to the bind param the configuration does not work anymore. I have reached a bunch of different configurations, but none of them did work…

My questions are:

  1. Is it even possible to accomplish what I am trying to do? I haven’t found anyone doing it already. I would be really happy if I do not have to deploy nginx…
  2. If yes, can you give me some direction where I need to go, please?

Thank you very much!

Kind regards,
Max


#2

1.7.0 stable has been released, please do not use obsolete development snapshots.

“Translating” between H2 and HTTP/1.1 would require H2 support, which is not yet there in Haproxy. So this is not possible yet.