Hi Guys, I need implement Haproxy for cover old server problems, all its working right now but i can’t get info how to do the follow HTTPS:h2 to HTTPS:HTTP/1.1:
My configuration is that:
Client —HTTP1.1/HTTPS–> HAProxy(transparent for SSL offloading) --> Server (HTTP1.1/HTTPS)
I need do a conversion gateway H2 to HTTP1.1 (HTTPS)
Client —HTTP2.0/HTTPS–> HAProxy(transparent for SSL offloading) --> Server (HTTP1.1/HTTPS)
In Nginx I do the same and work, receiving H2/HTTPS but requesting to the server backend HTTP1.1/HTTPS
How I can get the same setup in HAPROXY ??
Here is a simple config file that is working in TPROXY mode:
HAProxy configuration file
global
daemon
stats socket /var/run/haproxy.stat mode 600
log 127.0.0.1 local4
maxconn 40000
ulimit-n 80034
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
defaults
log global
mode http
timeout connect 4000
timeout client 42000
timeout server 43000
balance roundrobin
listen CC1-HTTP
bind XX.XX.3X.XX:80
mode http
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
option forwardfor
source 0.0.0.0 usesrc clientip
cookie SERVERID insert nocache indirect
option redispatch
stats enable
cookie SERVERID insert indirect nocache
server www-XXX 10.10.2X.XX:80 cookie check
listen CC1-HTTPS
bind 10.10.3X.XX:443 ssl crt /opt/ssl/cc1-crt.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:R$
mode http
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
option forwardfor
source 0.0.0.0 usesrc clientip
cookie SERVERID insert nocache indirect
option redispatch
stats enable
cookie SERVERID insert indirect nocache
server www-XXX 10.10.2X.XX:443 cookie check ssl verify none
When I add “alpn h2,http/1.1” the HAProxy receive H2 but this try to forward H2 to the backend and I need get HTTP1.1/HTTPS at this point.
Forward to port 80 or via HTTP is not a option, reverse proxy not full transparent (ejem: X-Forward) is not a option, must be transparent HTTP1.1/HTTPS
HA-Proxy version 1.6.4 (Full Transparent) with OpenSSL 1.0.2g (non shared), no errors, all working fine