When using haproxy 1.8 and before in order to use h2, i simply checked the ssl_fc_alpn
and then sent traffic to the correct server depending on if the client(browser) supported h2. Now with h2 available on the backend in 1.9 and 2.0, i thought i may be able to remove this check and clean up the configuration, but am clearly missing something.
– haproxy 1.8 –
frontend https
mode tcp
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 ecdhe secp384r1
timeout http-request 10s
#send all HTTP/2 traffic to a specific backend
use_backend http2-nodes if { ssl_fc_alpn -i h2 }
#send HTTP/1.1 and HTTP/1.0 to default, which don't speak HTTP/2
default_backend http1-nodes
backend http1-nodes
mode http
balance roundrobin
default-server inter 1s fall 2 on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions
server web01 10.X.X.12:80 check send-proxy
server web02 10.X.X.14:80 check send-proxy
backend http2-nodes
mode tcp
balance roundrobin
default-server inter 1s fall 2 on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions
server web01 10.X.X.12:81 check send-proxy
server web02 10.X.X.14:81 check send-proxy
Nginx is behind these servers and has http2
on port 81 and regular 1.1 on 80
In haproxy 1.9 and 2.0 i was thinking i could use one backend for haproxy and drop the 2nd port for Nginx. Something like the following:
frontend https
mode http
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 ecdhe secp384r1
option http-use-htx
timeout http-request 10s
default_backend http-nodes
backend http-nodes
mode http
option http-use-htx
balance roundrobin
default-server inter 1s fall 2 on-marked-down shutdown-sessions on-marked-up shutdown-backup-sessions
server web01 10.X.X.12:80 send-proxy check alpn h2 #check-alpn http/1.1 send-proxy alpn h2,http1.1
server web02 10.X.X.14:80 send-proxy check alpn h2 #check-alpn http/1.1 send-proxy alpn h2,http1.1
Then the nginx listen directive is simply
listen 80 http2 proxy_protocol
I’ve tried a number of things with the haproxy backends(alpn h2/http1.1 and proto h2) and am mainly running into 502’s from HAProxy and an error message in nginx stating:
recv() failed (104: Connection reset by peer) while processing HTTP/2 connection, client: 10.X.X.11, server: 0.0.0.0:80
Ultimately i think my question is simple: Can i use one backend for both h2 and http1.1, or should i still use the port routing based on ssl_fc_alpn
. I’m trying to gain a better understanding of the new h2 backends and how option http-use-htx
works.
One last bit. If i change to send-proxy check alpn h2
to send-proxy check proto h2
, it seems to work well with h2 browsers and even when i curl --http1.1 -nvL -o /dev/null https://www.site.com
it states that they request was in 1.1, but the nginx logs show its 2.0.
Hopefully this is clear, for older browsers, like IE10, it seems that i’m going to have to use the port redirect, but would love any further clarification.
Thank You,
Jeff