Hi Christopher, On Wed, Jan 29, 2020 at 7:58 PM Christopher Faulet <cfau...@haproxy.com> wrote:
> Le 29/01/2020 à 05:14, Igor Cicimov a écrit : > > Hi all, > > > > I'm asking this question here since I read in the docs that if I see > "Ixxx" in > > the session "termination_state" log I should do so :-) > > > > The error I got while experimenting with the HAP config is as follows: > > > > Jan 29 03:33:44 ip-172-31-45-201 haproxy[124024]: <CLIENT_IP>:44296 > > [29/Jan/2020:03:33:44.952] fe_https~ host.mydomain.com/ > > <http://host.mydomain.com/><NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- > 1/1/5/0/3 0/0 > > "GET /api/search HTTP/1.1" > > > > The command that produced it: > > > > $ curl -vsSNiL -H "Host: host.mydomain.com <http://host.mydomain.com>" > > https://haproxy.example.com:8443/api/search > > > > And the relevant haproxy-2.0.12 configuration (it's in AWS): > > > > resolvers vpc > > nameserver dns1 172.31.0.2:53 <http://172.31.0.2:53> > > accepted_payload_size 8192 > > resolve_retries 30 > > timeout resolve 1s > > timeout retry 2s > > hold valid 30s > > hold other 30s > > hold refused 30s > > hold nx 30s > > hold timeout 30s > > hold obsolete 30s > > > > frontend fe_https > > bind *:8443 ssl crt /etc/haproxy/ssl.d/ alpn h2,http/1.1 > > mode http > > option httplog > > use_backend %[req.hdr(host),word(1,:),lower] > > > > backend host.mydomain.com <http://host.mydomain.com> > > mode tcp > > option tcp-check > > tcp-check connect port 443 ssl > > balance source > > default-server inter 60s downinter 30s rise 2 fall 2 slowstart 10s > weight > > 100 ca-file /etc/ssl/certs/ca-certificates.crt on-marked-down > shutdown-sessions > > server myhost host.mydomain.com:443 <http://host.mydomain.com:443> > verify > > none check resolvers vpc resolve-prefer ipv4 > > > > Hi Igor, > > You cannot plug an HTTP frontend to a TCP backend. There are some checks > during > the configuration parsing to prevent this mistake. Unfortunately, you are > using > a dynamic expression to choose your backend. So it is not possible to warn > you > at startup. Use the http mode for your backend. It should solve your issue. > > -- > Christopher Faulet > Ofcourse, we can't mix HTTP frontend with a TCP backend, it escaped my eyes after testing multiple changes to the config :-/ Thanks for stating the obvious and sorry for wasting your time. Cheers, Igor