HTTP2 and HTTP1 on specific SNI or ACLs

Tiger97 · October 31, 2022, 11:51am

Hello,
I have an Haproxy with lots of different SNI and ACLs and I’m trying to configure HTTP2 on one specific SNI, but when I configure the haproxy.cfg as the example below, the requests to the site that should be accessible from HTTP2 works fine, but the others that should be accessible only with HTTP/1.1 are opening the site that is accessible from HTTP2.

frontend ft_default
    mode http
    bind :443 ssl crt-list /etc/haproxyCA/crt-list.txt no-sslv3 no-tlsv10 no-tlsv11 no-tlsv13 alpn h2,http/1.1
(. . .)
# HTTP/1.1 site
use_backend bk_http1 if { ssl_fc_sni http1.example.com }
# HTTP2 site
use_backend bk_http2 if { ssl_fc_sni http2.example.com }

# HTTP/1.1 backend
backend bk_http1
        mode http
        server <host> <server_IP>:80 weight 10 maxconn 1024 check

# HTTP2 backend
backend bk_http2
        mode http
        server <host> <server_IP>:80 weight 10 maxconn 1024 check alpn h2,http/1.1

My HAProxy version is 2.0.13-2ubuntu0.2.

If you need further information or explanation please feel free to ask.

Thank you.

lukastribus · October 31, 2022, 1:37pm

H2 support is configured in the frontend with alpn h2,http/1.1. Nothing about what you do in the backend influences frontend H2 support.

You are already using crt-list, so I suggest you move the alpn configuration from the haproxy config file to the crt-list so you can do it per certificate:

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.1-crt-list

Tiger97 · October 31, 2022, 1:49pm

Hello lukastribus,

First of all, thank you for your response!

I have crt-list configured and a line per sub-domain, however, I must say that the site that should open in HTTP2 and the one that should open in HTTP1.1 use the same certificate (because it’s a wildcard certificate). It’s that a problem?

lukastribus · October 31, 2022, 2:13pm

This will not work. Browser will reuse the HTTP2 session to access all domains valid based on the certificate and that is why this would not work even if haproxy would support such a configuration.

You will have to use distinct, non overlapping certificates here.

Tiger97 · October 31, 2022, 3:51pm

Thank you very much for your explanation!

I’ll have a look at that and see what is the best approach.