I am trying to deploy 1.8 to make use of h2. We have a single HAProxy install in front of several PHP web application servers. We have enjoyed HAProxy for the last several years and have upgraded from 1.5-1.7 without issue. I have been trying to get 1.8-rcX working and everything is OK except under h2 the ajax calls on the site a breaking. We use a CSRF tokens which are linked to the session, the problem is under h2 each ajax request gets a different session ID. Removing h2 fixes the problem.If I request the URLS directly under h2 it works, it is only we they are called via AJAX
This probably isn’t a HAProxy issue, but is there any reason that I would be seeing this behavour under h2, and not http/1.1?
haproxy -vv
HA-Proxy version 1.8-rc3-34650d5 2017/11/11
Copyright 2000-2017 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux2628
CPU = x86_64
CC = gcc
CFLAGS = -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.4
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with multi-threading support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
config
global
log 127.0.0.1 local0
maxconn 20000
ssl-server-verify none
user haproxy
group haproxy
# set default parameters to the intermediate configuration
tune.ssl.default-dh-param 2048
# STATS SOCKET
stats socket /var/run/haproxy.stats level admin
# ACCEPT LARGE REQUESTS
tune.bufsize 128000
defaults
log global
mode http
retries 3
maxconn 20000
timeout connect 15s
timeout client 15s
timeout server 90s
timeout http-request 5s
timeout http-keep-alive 15s
option forwardfor
option httplog
option http-keep-alive
option http-server-close
Redirect all HTTP traffice to HTTPS.
frontend WEB-HTTP-IN
bind :80
option forwardfor
# Redirection Everything else to HTTPS
redirect code 301 scheme https if !{ ssl_fc }
Main HTTS Frontend for our sites.
frontend WEB-HTTPS-IN
option forwardfor
bind 10.0.0.1:443 ssl crt /etc/haproxy/ssl/cert.pem no-sslv3 alpn h2,http/1.1
############# RATE LIMITNG BRUTE FORCE #######################
# Table definition
acl login_request path_beg -i /account/login
tcp-request inspect-delay 10s
acl brute_force sc1_inc_gpc0 gt 20
stick-table type binary len 20 size 100k expire 300s store gpc0
tcp-request content track-sc1 base32+src if METH_POST login_request
http-request deny if brute_force
############################################################
# Block bad IPs
acl bad_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/bad_ips.lst
http-request deny if bad_ip
# CAPTURE HEADERS FOR LOGGING
capture request header Host len 64
capture request header x-csrf-token len 64
# Send all other traffic that does match anything else to the WEB-FARM
default_backend WEB-FARM
backend WEB-FARM
balance static-rr
server WEB-011 192.168.70.221:80 check maxconn 12
l