Page MenuHomeVyOS Platform
Create Task
Maniphest T7304

haproxy: Enable HTTP/2
Open, LowPublic
Actions

Description

HAProxy version 2.6 (as used in Vyos nightly) only allows HTTP/1.1 by default.
To enable HTTP/2 on a frontend/service, the "bind" parameter in haproxy.cfg must have additional options added to the end of the line.
The alpn option is a comma-delimited list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).

To allow both HTTP/2 or HTTP/1.1 to be used, the haproxy.cfg file generated vyos would need the following change:

frontend LAN_443
-    bind 192.168.1.1:443 ssl crt /run/haproxy/proxy_cert.pem
+    bind 192.168.1.1:443 ssl crt /run/haproxy/proxy_cert.pem alpn h2,http/1.1

This could be gated behind an optional Vyos configuration setting, however I believe this should instead just be enabled by default.

In newer HAProxy versions (as of version 2.8), the default alpn value (if none is specified on the bind configuration line) changes to "h2,http/1.1" for a regular HTTPS frontend, and "h3" for a QUIC frontend.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

woodsb02 created this task.Tue, Apr 1, 5:42 AM
woodsb02 created this object in space S1 VyOS Public.
woodsb02 added a comment.Tue, Apr 1, 5:45 AM

HAProxy documentation for this:

Version 2.6 (currently used in Vyos nightly): https://docs.haproxy.org/2.6/configuration.html#5.1-alpn
Version 2.8 (when default alpn setting changed): https://docs.haproxy.org/2.8/configuration.html#5.1-alpn

woodsb02 added a comment.Tue, Apr 1, 5:48 AM

Note that if the version of HAProxy used in Vyos is upgraded to version 2.8 or later (as proposed in T7142), then HTTP/2 is enabled by default and this task can be closed as "overcome by events".

pasik subscribed.Tue, Apr 1, 6:17 AM