Fatal编程技术网
  • curl/
  • Curl Haproxy-HTTP/2-TLS-ALPN-Don';我不能正常工作

Curl Haproxy-HTTP/2-TLS-ALPN-Don';我不能正常工作

curl

Curl Haproxy-HTTP/2-TLS-ALPN-Don';我不能正常工作,curl,centos7,haproxy,http2,Curl,Centos7,Haproxy,Http2,我有一台centos 7服务器,OpenSSl 1.0.2j完全可以工作。Nginx与HTTP/2正常工作,但haproxy失败 在启用alpn h2后,我尝试运行一个curl(已经是7.51版)时,出现以下错误: curl --http2 -I https://domain:port/file.htm curl: (16) Error in the HTTP2 framing layer 如果我禁用了h2,curl可以正常工作,但当然只能连接http 1.1: curl --http2 -I

我有一台centos 7服务器,OpenSSl 1.0.2j完全可以工作。Nginx与HTTP/2正常工作,但haproxy失败

在启用alpn h2后,我尝试运行一个curl(已经是7.51版)时,出现以下错误:

curl --http2 -I https://domain:port/file.htm
curl: (16) Error in the HTTP2 framing layer
如果我禁用了h2,curl可以正常工作,但当然只能连接http 1.1:

curl --http2 -I https://domain.com:port/file.htm
HTTP/1.1 200 OK
Server: nginx/1.11.6
Date: Fri, 18 Nov 2016 12:22:47 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Wed, 10 Aug 2016 10:27:58 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "57ab01ae-59"
Expires: Tue, 13 Dec 2016 12:22:47 GMT
Cache-Control: max-age=2160000
X-Page-Speed: Powered By ngx_pagespeed
在这里,我放置了haproxy设置(它假设仅为setup https模式)

我已经阅读了很多网站和相关信息

OpenSSL信息:

设置卷曲haproxy和其他:

设置Nginx和Haproxy的最佳站点:

这里是Haproxy vv信息

HA-Proxy version 1.7-dev3 2016/05/10
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2j  26 Sep 2016
Running on OpenSSL version : OpenSSL 1.0.2j  26 Sep 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with Lua version : Lua 5.3.0
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
    [COMP] compression
    [TRACE] trace
在这个模型中,谁进行了Alpn谈判

在我的测试中,我尝试从SSL创建一个代理到另一个SSL服务器

谢谢大家

Brqx/Ricardo.

在web服务器上设置haproxy时,haproxy将进行ALPN协商。这意味着只有haproxy知道协商了哪个协议(
http/1.1
h2
)。我相信您看到了一个错误,因为haproxy正在协商
h2
,然后将明文HTTP/2通信发送到一个不需要它的服务器

正如您喜欢的“”站点所指出的,您寻址的方式是将Nginx列为两个端口:一个用于HTTP/1.1,另一个用于HTTP/2:

  listen      80  default_server;
  listen      81  default_server http2 proxy_protocol; ## Needed when behind HAProxy with SSL termination + HTTP/2 support
然后,在haproxy中,您声明两个后端:

backend nodes-http
    server node1 web.server:80 check

backend nodes-http2
    mode tcp
    server node1 web.server:81 check send-proxy
和直接流量,取决于协商的ALPN协议:

use_backend nodes-http2 if { ssl_fc_alpn -i h2 }
您的
服务器\u 51\u a4.domain.com
讲什么协议?明文HTTP/1.1还是明文HTTP/2? 
backend nodes-http
    server node1 web.server:80 check

backend nodes-http2
    mode tcp
    server node1 web.server:81 check send-proxy

use_backend nodes-http2 if { ssl_fc_alpn -i h2 }