I am trying to configure my haproxy that it will work over http2.0 even for websockets. This is my configuration:
global
maxconn 100000
log /dev/log local0 debug
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
retries 3
timeout connect 5000
timeout client 10000
timeout server 10000
timeout check 15000
timeout http-request 10000
timeout http-keep-alive 3000
timeout tunnel 3600s
timeout queue 30s
timeout tarpit 60s
option forwardfor
option logasap
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend default
bind :80
bind :443 ssl crt /etc/ssl/certs/cert1.pem crt /etc/ssl/certs/cert2.pem # alpn http/1.1,h2
http-request redirect scheme https code 301 unless { ssl_fc }
option forwardfor
http-reuse always
# http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header Host %[req.hdr(Host)]
http-response set-header Server srv1
http-request set-header Upgrade websocket if { hdr(Upgrade) -i websocket }
http-request set-header Connection upgrade if { hdr(Upgrade) -i websocket }
#http-request set-header Sec-WebSocket-Key SGVsbG8sIHdvcmxkIQAA if { hdr(Upgrade) -i websocket }
acl ACL_mtcms-stag hdr(host) -i example-1.com
use_backend mtcms-stag-servers if ACL_mtcms-stag
backend mtcms-stag-servers
option http-server-close
balance leastconn
cookie CMS_SERVER_USED insert indirect nocache dynamic
default-server maxconn 10000
#option httpchk
server srv1 mmv-01-stag.example.com:80 check inter 3s fall 3 rise 5 # proto h1 alpn http1.1 ws h1
server srv2 mmv-02-stag.example.com:80 check inter 3s fall 3 rise 5 # proto h1 alpn http1.1 ws h1
dynamic-cookie-key U4GxZKcx35RMR4x4s3Ji
> Blockquote
But it doesn’t work. I am getting response 200 OK. But the connection over websockets is reconnecting every 30seconds. If i comment out “alpn http/1.1,h2” in the bind line then websockets works perfectly but over http1.1 i guess and all other requests are using http1.1. I want websockets to work over http2.0 or can i just use http1.1 for websockets and everything else can go over http2.0? I have to send all requests to the samebackend (there is nginx that is proxying to the real apps).