Hi list
I'm using haproxy-1.9.4 and trying to enable http2 in frontend and on
one backend server (nginx with http2 enabled). I'm always receiving a
http/502 from haproxy. I'm successfully able to directly talk to the
backend with http2, but not via haproxy.
The haproxy-log looks like this (curl-request like "curl --http2 -k -L
-v https://10.10.10.10";)
Feb 26 11:07:10 localhost haproxy[24088]: srcip=1.1.1.1:37468
feip=10.10.10.10:443(http-in,http-in~,1)
beip=10.10.10.10:37530(server1,0) serverip=10.20.20.20:443(webserver1)
GET / HTTP/1.1 1/1/0/0/0 0/0 requests=0 resptime=-1 bytesread=244
status=502 tsc=PH-- sslv=TLSv1.2 ms=998
My config looks like this:
global
log 127.0.0.1 local1 info
chroot /home/haproxy
user haproxy
group haproxy
master-worker
debug
ssl-server-verify none
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl-default-bind-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 60s
frontend http-in
bind 10.10.10.10:443 ssl crt /etc/haproxy/ssl/wildcard.pem crt
/etc/haproxy/ssl/ alpn h2,http/1.1
log-format "srcip=%ci:%cp feip=%fi:%fp(%f,%ft,%fc) beip=%bi:%bp(%b,%bc)
serverip=%si:%sp(%s) "%r" %ac/%fc/%bc/%sc/%rc %sq/%bq requests=%rt
resptime=%Tr bytesread=%B status=%ST tsc=%tsc sslv=%sslv ms=%ms"
default_backend server1
backend server1
balance roundrobin
#http-check expect status 200
#option httpchk GET "/test"
server webserver1 10.20.20.20:443 ssl verify none alpn h2,http/1.1
When I enable health-checks on the backend, then the backend comes not
up, because of "Layer7 invalid response". The backend is a simple nginx
with http2 enabled. As I mentioned: When I directly talk to the backend
with http2, then everything is fine. So it has something to do regarding
my haproxy-config, but I'm not sure whats wrong.
Any hints for this?
Many thanks.
Kind regards,
Tom
