mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-30 23:30:59 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if forced

Browse Source 
Since the commit 5003ac7fe ("MEDIUM: config: set useful ALPN defaults for
HTTPS and QUIC"), the ALPN is set by default to "h2,http/1.1" for HTTPS
listeners. However, it is in conflict with the forced mux protocol, if
any. Indeed, with "proto" keyword, the mux can be forced. In that case, some
combinations with the default ALPN will triggers connections errors.

For instance, by setting "proto h2", it will not be possible to use the H1
multiplexer. So we must take care to not advertise it in the ALPN. Worse,
since the commit above, most modern HTTP clients will try to use the H2
because it is advertised in the ALPN. By setting "proto h1" on the bind line
will make all the traffic rejected in error.

To fix the issue, and thanks to previous commits, if it is defined, we are
now relying on the ALPN defined by the mux protocol by default. The H1
multiplexer (only the one that can be forced) defines it to "http/1.1" while
the H2 multiplexer defines it to "h2". So by default, if one or another of
these muxes is forced, and if no ALPN is set, the mux ALPN is used.

Other multiplexers are not defining any default ALPN for now, because it is
useless. In addition, only the listeners are concerned because there is no
default ALPN on the server side.Finally, there is no tests performed if the
ALPN is forced on the bind line. It is the user responsibility to properly
configure his listeners (at least for now).

This patch depends on:
  * MINOR: config: Do proto detection for listeners before checks about ALPN
  * MINOR: muxes: Support an optional ALPN string when defining mux protocols

The series must be backported as far as 2.8.
This commit is contained in:
Christopher Faulet 2025-11-20 15:40:39 +01:00
parent 2ef8b91a00
commit 0a7f3954b5
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/cfgparse.c
View File

@ -3019,9 +3019,12 @@ init_proxies_list_stage1:
/* Neither ALPN nor NPN were explicitly set nor disabled, we're
* in HTTP mode with an SSL or QUIC listener, we can enable ALPN.
* Note that it's in binary form.
* Note that it's in binary form. First we try to set the ALPN from
* mux proto if set. Otherwise rely on the default ALPN.
*/
if (bind_conf->xprt == xprt_get(XPRT_QUIC))
if (bind_conf->mux_proto && bind_conf->mux_proto->alpn)
bind_conf->ssl_conf.alpn_str = strdup(bind_conf->mux_proto->alpn);
else if (bind_conf->xprt == xprt_get(XPRT_QUIC))
bind_conf->ssl_conf.alpn_str = strdup("\002h3");
else
bind_conf->ssl_conf.alpn_str = strdup("\002h2\010http/1.1");