HAProxy maintenance with mode tcp and http2

Question

I have a problem configuring HAProxy in TCP mode with http2.

My main goal is to serve static maintenance page over HTTPS.

Here's my HAProxy config:

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    tune.ssl.default-dh-param 2048
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults                                                                       
    log global                                                 
    option dontlognull
    timeout connect 5000                                                       
    timeout client  50000
    timeout server  50000                                                      

frontend http
    mode http
    bind *:80
    redirect scheme https

frontend https
    mode tcp
    bind *:443 ssl crt /etc/ssl/certificate.pem alpn h2,http/1.1

    default_backend web

backend web
    mode tcp
    balance roundrobin
    server www1 192.168.0.100:443 check
    server www2 192.168.0.101:443 check
    server www3 192.168.0.102:443 check

backend maintenance
    mode tcp
    errorfile 503 /etc/haproxy/errors/503.http

When I switch in the frontend section default_backend to maintenance it's not working - HAProxy is not serving any page. The analogue solution with mode http is working fine. But then I am not able to use SSL with http2 and nginx on the backend.

On the backend side there is an nginx with http2 (without SSL) turned on.

I can't serve maintenance from nginx because it's a nonsense using multiple web servers. In the future I am planning to expand web server stack to dozen of servers.

I was thinking about putting a simple standalone server to serve one static maintenance page but I don't know any app/lib that would allow to use http2 without SSL. I think that for now only nginx allows that.

I've read HAProxy documentation from cover to cover and there are no any helpful examples describing http2 and SSL configuration. In the end, even Google is helpless.

score 1 · Answer 1 · answered Apr 27 '17 at 20:14

1

Maybe you should replace

default_backend

To

use_backend

Here is an example : from github

answered Apr 27 '17 at 20:14

P0pR0cK5

330
1
6

HAProxy maintenance with mode tcp and http2

1 Answers1