From 0a7f3954b521cdb8640513bb0be38b8a24fed223 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 20 Nov 2025 15:40:39 +0100 Subject: [PATCH] BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if forced Since the commit 5003ac7fe ("MEDIUM: config: set useful ALPN defaults for HTTPS and QUIC"), the ALPN is set by default to "h2,http/1.1" for HTTPS listeners. However, it is in conflict with the forced mux protocol, if any. Indeed, with "proto" keyword, the mux can be forced. In that case, some combinations with the default ALPN will triggers connections errors. For instance, by setting "proto h2", it will not be possible to use the H1 multiplexer. So we must take care to not advertise it in the ALPN. Worse, since the commit above, most modern HTTP clients will try to use the H2 because it is advertised in the ALPN. By setting "proto h1" on the bind line will make all the traffic rejected in error. To fix the issue, and thanks to previous commits, if it is defined, we are now relying on the ALPN defined by the mux protocol by default. The H1 multiplexer (only the one that can be forced) defines it to "http/1.1" while the H2 multiplexer defines it to "h2". So by default, if one or another of these muxes is forced, and if no ALPN is set, the mux ALPN is used. Other multiplexers are not defining any default ALPN for now, because it is useless. In addition, only the listeners are concerned because there is no default ALPN on the server side.Finally, there is no tests performed if the ALPN is forced on the bind line. It is the user responsibility to properly configure his listeners (at least for now). This patch depends on: * MINOR: config: Do proto detection for listeners before checks about ALPN * MINOR: muxes: Support an optional ALPN string when defining mux protocols The series must be backported as far as 2.8. --- src/cfgparse.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/cfgparse.c b/src/cfgparse.c index 378b4bb98..4a0fec8f6 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -3019,9 +3019,12 @@ init_proxies_list_stage1: /* Neither ALPN nor NPN were explicitly set nor disabled, we're * in HTTP mode with an SSL or QUIC listener, we can enable ALPN. - * Note that it's in binary form. + * Note that it's in binary form. First we try to set the ALPN from + * mux proto if set. Otherwise rely on the default ALPN. */ - if (bind_conf->xprt == xprt_get(XPRT_QUIC)) + if (bind_conf->mux_proto && bind_conf->mux_proto->alpn) + bind_conf->ssl_conf.alpn_str = strdup(bind_conf->mux_proto->alpn); + else if (bind_conf->xprt == xprt_get(XPRT_QUIC)) bind_conf->ssl_conf.alpn_str = strdup("\002h3"); else bind_conf->ssl_conf.alpn_str = strdup("\002h2\010http/1.1");