Hi,
Background: we’re currently implementing HAProxy to load balance our Webmarshal web proxy farm. We use NTLM authentication from client to Webmarshal (this is fixed and won’t go away until NTLM does). NTLM, as is well known in HAProxy documentation is connection based, so everything needs to happen in a pipelined/keepalive connection, so needs HTTP/1.1.
We’ve just discovered during development that Microsoft Teams and other Office 365 apps (again fixed and won’t go away) use HTTP/1.0 to access several critical URLs (it also uses HTTP/1.1 for other URLs). When going direct to Webmarshal this is fine as it appears that Webmarshal may be somewhat relaxed in its approach. But if we put HAProxy in to load balance the Webmarshals, the NTLM setup process gets shutdown as it’s an HTTP/1.0 request, so pipelining/keepalive isn’t allowed (despite Microsoft putting a proxy-connection: keep-alive header in).
I couldn’t find a configuration command in modern versions of HAProxy to rewrite the HTTP version, so I’ve just tried inserting “netsed” in front of HAProxy and configured it to rewrite any TCP packets containing HTTP/1.0 to HTTP/1.1, and everything started working!
The ask:
1 - Ideal, probably harder) Is there any way to configure HAProxy to allow pipelined connections when the client sends an HTTP/1.0 request? (i.e. a dirty override)
2 - Hacky, but not as hacky as netsed) Is there an HAProxy rewrite function that would allow me to rewrite HTTP/1.0 to HTTP/1.1 internally, before HAProxy starts making decisions based on protocol version? I don’t believe there’s currently an option to do this part of the request line.
More than happy to supply any extra info!
Loz.