2015-06-06 10:19 GMT+02:00 Viranch Mehta <[email protected]>: > Hey Lukas, > > On Fri, Jun 5, 2015 at 10:31 PM, Lukas Tribus <[email protected]> wrote: >> Hi Viranch, >> >> >>> tcp-request inspect-delay 5s >>> tcp-request content accept if HTTP >> >> Whats that configuration supposed to do? It doesn't >> make any sense. > > SPDY requires me to forward TCP frames to the backend, so I need the > frontend also to be in TCP mode. But then I also want to inspect HTTP > headers, so these 2 lines will wait for 5s to detect HTTP traffic. > > Although this is no more required with the following solution. > >> >>> acl spdy ssl_fc_npn -i spdy/3.1 >>> acl site1 req.hdr(Host) -i site1.foo.com >>> acl site2 req.hdr(Host) -i site2.foo.com >>> >>> use_backend site1_spdy if spdy site1 >> >> You can't match a Host Header if the protocol is not HTTP >> (but SPDY). >> >> >> Try using SNI instead, and distinguish plaintext and SNI >> ACLs: >> >> >> acl spdy ssl_fc_npn -i spdy/3.1 >> >> acl site1_sni ssl_fc_sni -i site1.foo.com >> acl site2_sni ssl_fc_sni -i site2.foo.com >> >> acl site1_plaintext req.hdr(Host) -i site1.foo.com >> acl site2_plaintext req.hdr(Host) -i site2.foo.com >> >> use_backend site1_spdy if spdy site1_sni >> use_backend site1_http if site1_plaintext >> >> use_backend site2_spdy if spdy site2_sni >> use_backend site2_http if site2_plaintext >>
A stupid question: Does SPDY require to use SNI on client side ? If not, what does it happen if the client doesn't send any SNI field? Where is the request forwarded to ? Regards > > This config now does SPDY well but a curl call fails with "Empty reply > from the server". So I got rid of _plaintext ACLs and used _sni for > http backends and it did the trick: > > use_backend site1_spdy if spdy site1_sni > use_backend site1_http if site1_sni > > use_backend site1_spdy if spdy site2_sni > use_backend site1_http if site2_sni > > I'm not sure if this is right theoretically, let me know if not. I > think I should have mentioned it before: I want to support SPDY (over > ssl) and plain HTTPS in HAProxy; any HTTP traffic (on port 80) is > redirected to HTTPS (port 443). So I guess _plaintext ACLs are for > plain HTTP and _sni ACLs work for HTTPS/SPDY (?). > > In any case, thanks for pointing me in the right direction! > > Cheers >
