I need help to better understand alpn routing capabilities of haproxy…
I have tried something which finaly did not work but I had not understand where I missed.
In my mind, I would like to implement an SSL Pass-Through TLS protocol router which by default detect alpn and send request to a nginx with alpn + h2 farm or a nginx + spdy one (switch user alpn protocol supported) and fallback to a npn + spdy farm if alpn is not supported by client.
Focusing only on h2 and a fallback to npn + spdy, I tried:
server 10.4.156.232:8026_nginx-alpn-h2-lb1 10.20.135.232:8026 check inter 2s rise 3 fall 2 send-proxy
server 10.4.156.234:8025_nginx-npn-spdy-lb1 10.20.135.234:8025 check inter 2s rise 3 fall 2 send-proxy
server 10.20.135.234:8026_nginx-npn-spdy-lb1 10.20.135.234:8026 check inter 2s rise 3 fall 2 send-proxy
bind 10.4.156.235:443 alpn h2
acl p443 dst_port 443
acl speak_alpn_h2 ssl_fc_alpn -i h2
use_backend nginx-alpn-h2-lb-webfullhttps if p443 speak_alpn_h2
acl p80 dst_port 80
use_backend nginx-npn-spdy-lb-web if p80
acl speak_alpn ssl_fc_alpn -m found
use_backend nginx-npn-spdy-lb-webfullhttps if p443 !speak_alpn
It does not work, it only pass request to the npn + spdy farm even with proper client (curl with h2 support and openssl 1.0.2).
I have tried the same thing and I put ssl on bind directive with a valid cert and i set ssl as server backend options and it seems to work…
Reading HaProxy doc, I see:
ssl_fc_alpn : string
This extracts the Application Layer Protocol Negotiation field from an
incoming connection made via a TLS transport layer and locally deciphered by
haproxy. The result is a string containing the protocol name advertised by
the client. The SSL library must have been built with support for TLS
extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
not advertised unless the “alpn” keyword on the “bind” line specifies a
protocol list. Also, nothing forces the client to pick a protocol from this
list, any other one may be requested. The TLS ALPN extension is meant to
replace the TLS NPN extension. See also “ssl_fc_npn”.
Why is it mandatory to offload SSL to be able to read ssl_fc_alpn? It would be more performant to be able to read it without offloading it and let it be offloaded by the proxified backend… I though that alpn field was a clear one, is it not the case?
Thanks for your help.