HAPROXY websockets over http2.0 don't work

I am trying to configure my haproxy that it will work over http2.0 even for websockets. This is my configuration:

        maxconn 100000
        log /dev/log    local0 debug
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  redispatch
        retries 3
        timeout  connect 5000
        timeout  client  10000
        timeout  server  10000
        timeout  check   15000
        timeout  http-request 10000
        timeout  http-keep-alive 3000
        timeout  tunnel 3600s
        timeout  queue 30s
        timeout  tarpit 60s
        option forwardfor
        option logasap
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend default
    bind :80
    bind :443 ssl crt /etc/ssl/certs/cert1.pem crt /etc/ssl/certs/cert2.pem # alpn http/1.1,h2
    http-request redirect scheme https code 301 unless { ssl_fc }
    option forwardfor
    http-reuse always
    # http-request del-header X-Forwarded-Proto
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header Host %[req.hdr(Host)]
    http-response set-header Server srv1
    http-request set-header Upgrade websocket if { hdr(Upgrade) -i websocket }
    http-request set-header Connection upgrade if { hdr(Upgrade) -i websocket }
    #http-request set-header Sec-WebSocket-Key SGVsbG8sIHdvcmxkIQAA if { hdr(Upgrade) -i websocket }
    acl ACL_mtcms-stag hdr(host) -i example-1.com
    use_backend mtcms-stag-servers if ACL_mtcms-stag

backend mtcms-stag-servers
    option http-server-close
    balance leastconn
    cookie CMS_SERVER_USED insert indirect nocache dynamic
    default-server maxconn 10000
    #option httpchk
    server srv1 mmv-01-stag.example.com:80 check inter 3s fall 3 rise 5 # proto h1 alpn http1.1 ws h1
    server srv2 mmv-02-stag.example.com:80 check inter 3s fall 3 rise 5 # proto h1 alpn http1.1 ws h1
    dynamic-cookie-key U4GxZKcx35RMR4x4s3Ji
> Blockquote

But it doesn’t work. I am getting response 200 OK. But the connection over websockets is reconnecting every 30seconds. If i comment out “alpn http/1.1,h2” in the bind line then websockets works perfectly but over http1.1 i guess and all other requests are using http1.1. I want websockets to work over http2.0 or can i just use http1.1 for websockets and everything else can go over http2.0? I have to send all requests to the samebackend (there is nginx that is proxying to the real apps).

Please read and configure accordingly:


Thank you! I was searching for last option ( h2-workaround-bogus-websocket-client ). Thank you for your help again :slight_smile:

I would probably better to fix the actual problem in your H2 configuration, but yes, sure, downgrading ws to h1 will work too.

Well i think that is not possible in my sutiation. Because haproxy is talking to nginx that as far as i know it does not support ws over http2.0.