Hi, On Thu, Feb 07, 2019 at 04:50:12PM +0200, Jarno Huuskonen wrote: > Hi, > > On Thu, Feb 07, Steve GIRAUD wrote: > > Thanks Jarno for the investigation. > > No problem. > > > The large header is only on response and there is only one large header > > (18k). > > > > haproxy + ssl + http2 + tune.bufsize:32768 --> request fails > > Did you check with curl or chrome if you get the same framing error > that I got (Error in the HTTP2 framing layer / ERR_SPDY_FRAME_SIZE_ERROR))? > > > haproxy + ssl + http1.1 + tune.bufsize:32768 --> request ok > > > > If I request my backend directly in h2 + ssl but without haproxy, the > > request is ok. > > I'm CC:ing Willy, in case this is something that a config option can fix > or possibly a incompatability/bug with http2 implementation.
I might have an idea. The default H2 max-frame-size is 16kB (by the spec). It is possible that your server ignores the setting and tries to push a frame size that is larger than the agreed limit, which becomes a protocol violation. Or it is possible as well that the server doesn't know how to send such a large header with this frame size and simply aborts the response. You could install h2c between haproxy and your server, in wiretap mode, it's very convenient to see what is exchanged : h2c_linux_amd64 wiretap 127.0.0.1:5555 127.0.0.1:6666 Then you configure haproxy to communicate to 127.0.0.1:5555 to join the server while your server in fact listens on :6666. Depending on what you see, we may have the possibility to work around it by advertising a larger max-frame-size in the settings frame when the buffers are larger. Regards, Willy
