HAProxy 2.0.5 accepting strict http2 request when bind line does not have proto h2

tt100 · September 24, 2019, 11:11am

I tested with HAProxy 2.0.5 with following basic configuration using curl
curl -v --http2-prior-knowledge http://IP

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#maxconn 65536

defaults
log global
mode http
http-reuse never
no log
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend test
bind :80
mode http
maxconn 65536
default_backend nginx

backend nginx
mode http
balance leastconn
server <IP> <IP>:81 weight 255

When tested with HAProxy 1.9.8, I get the following error:
http2 error: Remote peer returned unexpected data while we expected SETTINGS frame. Perhaps, peer does not support HTTP/2 properly.

Is this the expected behaviour?

lukastribus · September 24, 2019, 3:55pm

So you did not enable H2 in haproxy, run a H2 request against haproxy and it does not work. How can this not be expected behavior?

tt100 · September 24, 2019, 4:12pm

With HAProxy 2.0, it works without giving proto h2 in bind line. With HAProxy 1.9, it does not work with the same configuration.
With the following command:
curl -v --http2-prior-knowledge http://IP

lukastribus · September 24, 2019, 5:14pm

Ok, I guess that’s because 2.0 by default enables HTX mode, and this likely changes how the request is parsed, accepting H2 message.

You can confirm that by putting option http-use-htx into a default section covering both front and backend in 1.9, and the reverse test, no option http-use-htx into a default section covering both front and backend in 2.0.

I’d say the behavior in this case is simply undefined. Is this causing any issues?

capflam · September 24, 2019, 8:47pm

In fact, it is expected. An implicit upgrade from h1 to h2 is performed when an H2 preface is detected during the parsing of the first request of an HTTP connection. Once upgraded to h2, there is no way to come back in h1. So, on a non-TLS HTTP connection, it is possible to handle h1 or h2 requests (not mixed). Of course, if proto h2 is mentioned on the bind line, only h2 requests are accepted.

So, that said, I found a bug, there is no check to be sure it’s the first request. I will fix that quickly.

Topic		Replies	Views
Haproxy 2.2.x and problem with proto h2 in backend Help!	1	1696	August 14, 2020
Enabling http2 on backends in tcp mode Help!	0	385	May 11, 2022
HTTP2 RFC7540 and RFC754 Test Help!	2	1064	February 7, 2019
400 Bad request when enabling HTTP/2 Help!	15	5820	March 17, 2021
Haproxy 2.0.5 httpchk http/2 backend Help!	5	4185	June 17, 2020

HAProxy 2.0.5 accepting strict http2 request when bind line does not have proto h2

Related Topics