Haproxy-HTTP / 2-TLS ALPN-无法正常工作 [英] Haproxy - HTTP/2 - TLS ALPN - Don't work correctly
问题描述
我有一个带有OpenSSl 1.0.2j的centos 7服务器,可以正常工作。 Nginx与HTTP / 2一起正常工作,但是haproxy失败。
I have a centos 7 server with OpenSSl 1.0.2j fully working. With Nginx working correcly with HTTP/2 but haproxy fail.
当我尝试运行curl(已经是7.51版)时,一次启用了alpn h2我遇到以下错误:
When I try to run a curl ( is already version 7.51 ) once is enabled alpn h2 I have the following error :
curl --http2 -I https://domain:port/file.htm
curl: (16) Error in the HTTP2 framing layer
如果我禁用了h2,curl可以正常工作,但是当然只能连接http 1.1:
If I disabled h2, curl work correctly but of course only connect http 1.1 :
curl --http2 -I https://domain.com:port/file.htm
HTTP/1.1 200 OK
Server: nginx/1.11.6
Date: Fri, 18 Nov 2016 12:22:47 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Wed, 10 Aug 2016 10:27:58 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "57ab01ae-59"
Expires: Tue, 13 Dec 2016 12:22:47 GMT
Cache-Control: max-age=2160000
X-Page-Speed: Powered By ngx_pagespeed
在这里我输入了haproxy设置(假设它只是设置https模式)
Here I put haproxy setting ( it suppose only is setup https mode )
global
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
spread-checks 4
tune.maxrewrite 1024
tune.ssl.default-dh-param 2048
...
frontend
mode tcp
bind 0.0.0.0:60641 ssl crt /etc/haproxy/certs/domain.pem alpn h2,http/1.1
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
...
backend
stick-table type ip size 200k expire 30m
stick on src
server server_51_a4.domain.com IP:PORT check ssl verify none
我读了很多网站和相关信息
I have read a lot of sites and information related
OpenSSL信息: https://www.nginx.com/blog/supporting-http2-google-chrome-users/
OpenSSL Information : https://www.nginx.com/blog/supporting-http2-google-chrome-users/
设置卷曲haproxy等: https://blog.cloudflare .com / tools-for-debugging-testing-and-using-http-2 /
Setup curl haproxy and others : https://blog.cloudflare.com/tools-for-debugging-testing-and-using-http-2/
设置Nginx和Haproxy的最佳网站: http://m12.io/blog/http-2-with-haproxy- and-nginx-guide
Best site to setup Nginx and Haproxy : http://m12.io/blog/http-2-with-haproxy-and-nginx-guide
此处Haproxy vv信息
Here Haproxy vv information
HA-Proxy version 1.7-dev3 2016/05/10
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2j 26 Sep 2016
Running on OpenSSL version : OpenSSL 1.0.2j 26 Sep 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with Lua version : Lua 5.3.0
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
我还看到了另一个网站,告诉haproxy不支持Http / 2。
Also I have seen another site where told haproxy don't support Http/2.
https://istlsfastyet.com/#server-performance
出了什么问题?灭螺?
What is the problem ? Haproxy ?
Centos 7 openssl支持吗?
Centos 7 openssl support ?
谢谢您的阅读。帮助世界为http / 2准备好haproxy。
Thank you for read. Help world to have haproxy ready for http/2.
我想添加另一个相关问题。
I want to add another question related.
在Web服务器上预先设置haproxy时,haproxy将进行ALPN协商。
"When setting up haproxy in front on a web server, haproxy will do the ALPN negotiation".
如果我们可以在两个级别以及不同的服务器中使用haproxy。
And what happen if we can use haproxy with two levels and in different servers.
Server 01 - Level 01 - Haproxy ( listen ssl)
Server 02 - Level 02 - Haproxy ( listen ssl)
Server 03 - Level 03 - Nginx ( listen no ssl )
在此模型中,Alpn进行了谁谈判?
In this model, who did Alpn negotiation ?
在我的测试中,我试图将SSL代理创建到另一个SSL服务器。
In my test I have trying to make a proxy from SSL to another SSL server.
感谢所有人。
Brqx / Ricardo。
Brqx / Ricardo.
推荐答案
在在Web服务器上,haproxy将进行ALPN协商。这意味着只有haproxy知道要协商哪个协议( http / 1.1 或 h2 )。我相信您会看到一个错误,因为haproxy正在协商 h2 ,然后将明文HTTP / 2通信发送到不期望它的服务器。
When setting up haproxy in front on a web server, haproxy will do the ALPN negotiation. That means that only haproxy knows which protocol was negotiated (http/1.1 or h2). I believe you're seeing an error because haproxy is negotiating h2, and then sending clear text HTTP/2 traffic to a server that's not expecting it.
如'您喜欢的具有HAProxy和Nginx 网站的HTTP / 2完整指南,您的寻址方式是为两个端口列出Nginx:一个用于HTTP / 1.1,另一个用于另一个用于HTTP / 2:
As pointed out by the 'The complete guide to HTTP/2 with HAProxy and Nginx' site you liked to, the way you address that is that you make Nginx listed for two ports: one for HTTP/1.1 and another for HTTP/2:
listen 80 default_server;
listen 81 default_server http2 proxy_protocol; ## Needed when behind HAProxy with SSL termination + HTTP/2 support
然后在haproxy中声明两个后端:
Then, in haproxy, you declare two backends:
backend nodes-http
server node1 web.server:80 check
backend nodes-http2
mode tcp
server node1 web.server:81 check send-proxy
和直接流量,具体取决于协商的ALPN协议:
and direct traffic depending on the negotiated ALPN protocol:
use_backend nodes-http2 if { ssl_fc_alpn -i h2 }
这篇关于Haproxy-HTTP / 2-TLS ALPN-无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
