Hey Lukas, On Fri, Jun 5, 2015 at 10:31 PM, Lukas Tribus <luky...@hotmail.com> wrote: > Hi Viranch, > > >> tcp-request inspect-delay 5s >> tcp-request content accept if HTTP > > Whats that configuration supposed to do? It doesn't > make any sense.
SPDY requires me to forward TCP frames to the backend, so I need the frontend also to be in TCP mode. But then I also want to inspect HTTP headers, so these 2 lines will wait for 5s to detect HTTP traffic. Although this is no more required with the following solution. > >> acl spdy ssl_fc_npn -i spdy/3.1 >> acl site1 req.hdr(Host) -i site1.foo.com >> acl site2 req.hdr(Host) -i site2.foo.com >> >> use_backend site1_spdy if spdy site1 > > You can't match a Host Header if the protocol is not HTTP > (but SPDY). > > > Try using SNI instead, and distinguish plaintext and SNI > ACLs: > > > acl spdy ssl_fc_npn -i spdy/3.1 > > acl site1_sni ssl_fc_sni -i site1.foo.com > acl site2_sni ssl_fc_sni -i site2.foo.com > > acl site1_plaintext req.hdr(Host) -i site1.foo.com > acl site2_plaintext req.hdr(Host) -i site2.foo.com > > use_backend site1_spdy if spdy site1_sni > use_backend site1_http if site1_plaintext > > use_backend site2_spdy if spdy site2_sni > use_backend site2_http if site2_plaintext > This config now does SPDY well but a curl call fails with "Empty reply from the server". So I got rid of _plaintext ACLs and used _sni for http backends and it did the trick: use_backend site1_spdy if spdy site1_sni use_backend site1_http if site1_sni use_backend site1_spdy if spdy site2_sni use_backend site1_http if site2_sni I'm not sure if this is right theoretically, let me know if not. I think I should have mentioned it before: I want to support SPDY (over ssl) and plain HTTPS in HAProxy; any HTTP traffic (on port 80) is redirected to HTTPS (port 443). So I guess _plaintext ACLs are for plain HTTP and _sni ACLs work for HTTPS/SPDY (?). In any case, thanks for pointing me in the right direction! Cheers
