MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2

HTTP/2 mandates the support of 16384 bytes frames by default, so we need a large enough buffer to process them. Till now if tune.bufsize was too small, H2 connections were simply rejected during their establishment, making it quite hard to troubleshoot the issue. Now we detect when HTTP/2 is enabled on an HTTP frontend and emit an error if tune.bufsize is not large enough, with the appropriate recommendation.
2025-03-25 04:17:42 +00:00 · 2017-11-24 11:28:00 +01:00 · 2017-11-24 11:28:00 +01:00 · 45a66ccc55
commit 45a66ccc55
parent 599391a7c2
2 changed files with 27 additions and 2 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1353,8 +1353,9 @@ tune.bufsize <number>
  from the default value, as very low values will break some services such as
  statistics, and values larger than default size will increase memory usage,
  possibly causing the system to run out of memory. At least the global maxconn
-  parameter should be decreased by the same factor as this one is increased.
-  If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
+  parameter should be decreased by the same factor as this one is increased. In
+  addition, use of HTTP/2 mandates that this value must be 16384 or more. If an
+  HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
  return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
  than this size, haproxy will return HTTP 502 (Bad Gateway).

--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -7583,6 +7583,30 @@ int check_config_validity()
 		list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
 			unsigned long mask;

+			/* HTTP frontends with "h2" as ALPN/NPN will work in
+			 * HTTP/2 and absolutely require buffers 16kB or larger.
+			 */
+#ifdef USE_OPENSSL
+			if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) {
+#ifdef OPENSSL_NPN_NEGOTIATED
+				/* check NPN */
+				if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) {
+					Alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
+					      curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
+					cfgerr++;
+				}
+#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+				/* check ALPN */
+				if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) {
+					Alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
+					      curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
+					cfgerr++;
+				}
+#endif
+			} /* HTTP && bufsize < 16384 */
+#endif
+
 			if (!bind_conf->bind_proc)
 				continue;