Hi Lukas, Found when using h2, the request URI to squid is /xxxx without http://example.com/, so squid return 400 error...
-vv ``` HA-Proxy version 2.1-dev0-1ae2a8-16 2019/06/19 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_THREAD=1 USE_TPROXY=1 USE_OPENSSL=1 USE_TFO=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=4). Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019 Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built without compression support (neither USE_ZLIB nor USE_SLZ are set). Compression algorithms supported : identity("identity") Built without PCRE or PCRE2 support (using libc's regex instead) Encrypted password support via crypt(3): yes Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : none Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ``` On Thu, Jun 20, 2019 at 3:39 AM Lukas Tribus <li...@ltri.eu> wrote: > > Hello, > > On Wed, 19 Jun 2019 at 19:35, Igor Pav <i...@fastsp.net> wrote: > > > > Hello, > > > > I do a quick playing around with H2 proxy with Chome, Chrome has > > built-in HTTPS proxy support. > > If I conf like: > > > > listen FE > > mode http > > bind 0.0.0.0:1443 ssl crt cert.pem alpn h2,http/1.1 > > server squid-fwd-proxy 127.0.0.1:3128 > > > > then I set Chrome to use this proxy, it works fine with the https > > webpages, but not http pages, Chrome shows squid 407 page, which is > > http://127.0.0.1:3128 > > > > Change mode http to tcp, Chrome returns ERR_SPDY_PROTOCOL_ERROR. > > Correct, advertising and negotiating H2 and then not be able to talk > it is a wrong configuration, which is why this fails. > > > > Continuously remove h2 from conf, Chrome works fine for both http and > > https finally. > > Capture haproxy --> squid traffic with HTTP and h2 enabled (failure). > Capture haproxy --> squid traffic with HTTP and h2 disabled (ok). > > I think this may just be Chrome behaving differently with a H2 proxy, > using a CONNECT to port 80, which squid denies, as opposed to a > regular HTTP proxy request. But that's just a guess. > > Try allowing TCP connects to port 80 in your squid configuration? > > > Also share the ouput of haproxy -vv please. > > Lukas >
