DockerFlowProxy Http2 400 errors

[ghost]

Thank you so much for this awesome project. We have been using it for sometime now without any issues.
However, with the latest release supporting HTTP2, we ran in to an issue. by default, when the ENABLE_H2 option is true, When accessing Elastic's Kibana and some web applications, we see occasional (but persistent) 400 errors from the proxy:

| 2018/01/04 22:35:21 HAPRoxy: 10.255.0.6:61008 [04/Jan/2018:22:35:21.839] services~ brp_ui-be8080_0/brp_ui_0 0/0/1/-1/2 400 658 - - CHVN 1/1/0/0/0 0/0 "POST /brp/jsp/newLogin.do?dispatch=login HTTP/1.1"

The error code from the proxy is "CH" in both cases. When we switch the ENABLE_H2=false, all are working fine without any 400s whatsoever ever.

/cfg/haproxy.conf:

global
    pidfile /var/run/haproxy.pid
    tune.ssl.default-dh-param 2048
    log 127.0.0.1:1514 local0
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM

    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-G
resolvers docker
    nameserver dns 127.0.0.11:53
defaults
    mode    http
    balance roundrobin
    option  http-keep-alive
    option  forwardfor
    option  redispatch
    errorfile 400 /errorfiles/400.http
    errorfile 403 /errorfiles/403.http
    errorfile 405 /errorfiles/405.http
    errorfile 408 /errorfiles/408.http
    errorfile 429 /errorfiles/429.http
    errorfile 500 /errorfiles/500.http
    errorfile 502 /errorfiles/502.http
    errorfile 503 /errorfiles/503.http
    errorfile 504 /errorfiles/504.http
    maxconn 5000
    timeout connect 30s
    timeout client  20s
    timeout server  60s
    timeout queue   30s
    timeout tunnel  3600s
    timeout http-request 30s
    timeout http-keep-alive 30s
    stats enable
    stats refresh 30s
    stats realm Strictly\ Private
    stats uri /proxy
frontend services
    bind *:80
    bind *:443 ssl crt-list /cfg/crt-list.txt alpn h2,http/1.1
    mode http
    option httplog
    log global
    acl url_brp_ui8080_0 path_beg /brp
    acl domain_brp_ui8080_0 hdr(host) -I my.example.com
    use_backend brp_ui-be8080_0 if url_brp_ui8080_0 domain_brp_ui8080_0
backend brp_ui-be8080_0
    mode http
    http-request redirect scheme https if !{ ssl_fc }
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    log global
    balance roundrobin
    cookie brp_ui insert indirect nocache

can you please help?

[vfarcic]

I'm not sure how Kibana works internally. Normally, HAProxy will use h2 protocol only if it's supported by the client, and switch to http1.1 if it's not. I used it with my own Kibana instance without any problem. However, that one is for my personal use and doesn't have high traffic so it's possible that I was simply lucky so far.

If you can send me the commands you executed to create ELK and DFP, I can replicate them in my own cluster.

The workaround you did (disabling h2) should work if you do not use it normally.

P.S. Sorry for not responding earlier. Too much work...

[ghost]

I just found that Http2 is not yet supported by Kibana: elastic/kibana#7104
Please close the issue.