Is http/s support now in rancher haproxy?

dbrosy · March 18, 2018, 4:07am

Since haproxy is upgraded to 1.8.4 does rancher now support http/2?
If so how do you configure it on LB

p7k · March 18, 2018, 8:39am

Hi dbrosy,

you could try to add the following lines in your custom haproxy.cfg tab

frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current alpn h2,http/1.1

It works for me.

I would also recommend to enable HSTS with

frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current alpn h2,http/1.1
http-response set-header Strict-Transport-Security max-age=15768000;

vincent · March 18, 2018, 5:05pm

We do not do anything special to support it but it should be possible to configure.

Suggesting people turn on HSTS with a 6-month max-age without knowing exactly what they’re doing and the consequences is highly reckless.

p7k · March 19, 2018, 8:20am

In general, i agree with you. But in this special case we are talking about http2 and ssl is required for http2. So if http2 should be used ssl is not longer optional. Enabling hsts forces the client to use ssl and http2 (if supported) after the first visit with https. Of course you should test your ssl configuration before(!) enabling hsts.

I would still recommend it in this case. I am sure the TO knows what hsts is and what are the consequences.

dbrosy · March 21, 2018, 6:04am

Thanks @p7k I have tested your config with HSTS enabled and its working.

@vincent can you elaborate on the issues with setting max age to 6 months? Is there a recommended max-age?

vincent · March 21, 2018, 10:06am

There is no going back for the customers that received the header for that entire max-age when you set HSTS on a domain.

So if you later find out that, say, some part of your site is only http, or could be https but isn’t, or is an IoT device they only supports http, or the little bit of additional overhead for ssl makes your hard-to-update embedded hardware client timeout when on a high-latency connection, or whatever it is, that can be a very expensive mess resulting in lost customers or sales.

The most common foot-gun is setting includeSubDomains when only some subdomains support https.

So good practice is to start with a very small max age and observe what breaks for a few days before you set it to a larger number a little at a time.

dbrosy · March 21, 2018, 3:46pm

Thanks for the explanation @vincent that all makes sense. I will test on a smaller value and see what breaks. Currently only testing on dev sites. The other thing i will need to test is that letsencrypt still functions

Topic		Replies	Views
HAProxy as ELB for Rancher High Availability (HA) Rancher 1.x	5	5041	August 25, 2016
HAproxy Support HTTPS Rancher 1.x	3	1781	September 4, 2015
Force HTTPS when accessing rancher	4	1655	December 14, 2016
Rancher load balancer how configurable supports http2 procotol Rancher 1.x	4	2287	September 22, 2018
Mixed content loaded over HTTPS with HAProxy after adding SSL Cert Rancher 1.x	0	2781	February 16, 2017

Is http/s support now in rancher haproxy?

Related Topics