Since haproxy is upgraded to 1.8.4 does rancher now support http/2?
If so how do you configure it on LB
Hi dbrosy,
you could try to add the following lines in your custom haproxy.cfg tab
frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current alpn h2,http/1.1
It works for me.
I would also recommend to enable HSTS with
frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current alpn h2,http/1.1
http-response set-header Strict-Transport-Security max-age=15768000;
We do not do anything special to support it but it should be possible to configure.
Suggesting people turn on HSTS with a 6-month max-age without knowing exactly what they’re doing and the consequences is highly reckless.
In general, i agree with you. But in this special case we are talking about http2 and ssl is required for http2. So if http2 should be used ssl is not longer optional. Enabling hsts forces the client to use ssl and http2 (if supported) after the first visit with https. Of course you should test your ssl configuration before(!) enabling hsts.
I would still recommend it in this case. I am sure the TO knows what hsts is and what are the consequences.
Thanks @p7k I have tested your config with HSTS enabled and its working.
@vincent can you elaborate on the issues with setting max age to 6 months? Is there a recommended max-age?
There is no going back for the customers that received the header for that entire max-age when you set HSTS on a domain.
So if you later find out that, say, some part of your site is only http, or could be https but isn’t, or is an IoT device they only supports http, or the little bit of additional overhead for ssl makes your hard-to-update embedded hardware client timeout when on a high-latency connection, or whatever it is, that can be a very expensive mess resulting in lost customers or sales.
The most common foot-gun is setting includeSubDomains
when only some subdomains support https.
So good practice is to start with a very small max age and observe what breaks for a few days before you set it to a larger number a little at a time.
Thanks for the explanation @vincent that all makes sense. I will test on a smaller value and see what breaks. Currently only testing on dev sites. The other thing i will need to test is that letsencrypt still functions