I’ve been using haproxy as a LB for years now in production.
Since we currently use a HTTP/2 webserver just as a proxy, it makes sense to try and use haproxy for this protocol as well.
Since there have been quite a few h2-related fixes even in the latest 1.8.13 release, we’d like to use the H2 support in a test basis.
For HTTP/2 we already have a “mode tcp” TLS offloading in a few processes, passing through a unix-socket backend.
We’d like to use another unix-socket for the H2 haproxy for 10% of our traffic, such as:
frontend h2-tls bind 127.0.0.1:443 ssl crt /var/haproxy/certs alpn h2,http/1.1,http/1.0 mode tcp default_backend tls-clean backend tls-clean mode tcp balance static-rr server original /var/run/original.sock weight 90 server h2-haproxy /var/run/h2-haproxy.sock weight 10 frontend h2-clean bind unix@/var/run/h2-haproxy.sock default_backend ....
This doesn’t seem to we working, though.
Is there any plans to support this? Or is the http/2 support really an all-or-nothing approach?
If it is, we can probably do a L4 routing to 2 different layers, but we’ll have to duplicate the TLS offloading part, which will add quite a few memory usage in our case (We have over 3.000 certs), which is not ideal.