0

I am using HAProxy as a loadbalancer and to terminate SSL. Behind that I've placed an Nginx. I'd like to use spdy/3.1.

It does not work with the following haproxy.conf and nginx.cfg. (files are serverd but according to Chrome SPDY/HTTP2 Indicator Plugin it is just normal HTTP/1.1 traffic).

I tried to strip unnecessary parts.

What am I doing wrong? Do you have tips for debugging?

(HAProxy 1.6 current and NginX 1.10 stable line)

haproxy.cfg:

global
  daemon
  tune.ssl.default-dh-param 2048

defaults
  mode tcp

frontend myfrontend
  bind *:80
  bind *:443 ssl crt /etc/ssl/certificate.pem npn spdy/3.1,http/1.1 ciphers ECDH+AESGCM:HIGH:!aNULL:!MD5:!DSS:!RC4; no-sslv3
  acl istoplevel path /
  redirect scheme https if istoplevel !{ ssl_fc }
  redirect location / if !istoplevel !{ ssl_fc }
  rspadd Strict-Transport-Security:\ max-age=31536000;
  default_backend mybackend

backend mybackend
  server s1 localhost:81
  option forwardfor
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

nginx.conf:

user  nginx;

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  sendfile        on;
  #tcp_nopush     on;

  server {
    listen 81 spdy;
    root /usr/share/nginx/html;
    index index.html;

    location / {
      try_files $uri $uri/ /index.html;
    }
  }
}
alsdkjasdlkja
  • 1,260
  • 2
  • 14
  • 30

2 Answers2

1

Chrome doesn't support SPDY any more: http://blog.chromium.org/2016/02/transitioning-from-spdy-to-http2.html?m=1

And it doesn't support HTTP/2 in a lot of instances either: https://ma.ttias.be/day-google-chrome-disables-http2-nearly-everyone-may-31st-2016/

Also it doesn't matter what Nginx is doing if you are terminating at HAproxy. I'm not sure if HAproxy supports SPDY? Some posts suggest it does with special config, others that it's waiting for HTTP/2.

Ultimately SPDY is on the way out. When even its inventor won't support it, you know you're on to a losing battle. You'd be much better moving on to HTTP/2.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • I know but the main module for http/2 module for nodejs only supports it with TLS and since I terminate ssl in haproxy I can't use it – alsdkjasdlkja Jul 10 '16 at 19:17
  • Where did nodejs come from!?! Not mentioned at all in original question. Is that behind Nginx? Ultimately the connection between HAproxy and Nginx and anything else you've got there doesn't matter. It's likely to be so low latency that any benefit over HTTP/1.1 will be of negligible impact. What you care about is connection between client browser and HAProxy - get that working with SPDY or preferably HTTP/2 to see most benefits. Btw it does not need to be one protocol all the way through as, as soon as you terminate SSL, you also terminate the connection and start a new one from then on. – Barry Pollard Jul 10 '16 at 19:23
  • Nodejs is another service besides nginx which is load-balanced by haproxy. That was not part of the question but I took it into consideration when I decided to go with SPDY thats why I mentioned it in the comment. So okay, then I'll try to go with http/2. I thought it only makes sense if I have SPDY/http2 all the way down :D Thanks so far :) I'll come back to you when I have problems – alsdkjasdlkja Jul 10 '16 at 19:37
  • Nice, it worked. Thanks! :) Now using HTTP/2. Was not too easy. Had to use debian:stretch as the new ALPN (NPN support was dropped in Google Chrome) requires openssl 1.0.2 – alsdkjasdlkja Jul 11 '16 at 03:56
0

You'll need to use ALPN for Chrome. For HAProxy, you'll need 1.8 to support termianting with HTTP2.

Here's the relevant config for HTTP2 and ALPN from CertSimple's load balancer with HTTP/2 and dynamic reconfig guide:

frontend public
    # HTTP/2 - see https://www.haproxy.com/blog/whats-new-haproxy-1-8/
    bind :443 ssl crt /etc/https/cert-and-private-key-and-intermediate-and-dhparam.pem alpn h2,http/1.1
mikemaccana
  • 110,530
  • 99
  • 389
  • 494