diff --git a/doc/configuration.txt b/doc/configuration.txt index 27e370230..4940b33e9 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1353,8 +1353,9 @@ tune.bufsize from the default value, as very low values will break some services such as statistics, and values larger than default size will increase memory usage, possibly causing the system to run out of memory. At least the global maxconn - parameter should be decreased by the same factor as this one is increased. - If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will + parameter should be decreased by the same factor as this one is increased. In + addition, use of HTTP/2 mandates that this value must be 16384 or more. If an + HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger than this size, haproxy will return HTTP 502 (Bad Gateway). diff --git a/src/cfgparse.c b/src/cfgparse.c index 57f25fac7..bf8139ca0 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -7583,6 +7583,30 @@ int check_config_validity() list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) { unsigned long mask; + /* HTTP frontends with "h2" as ALPN/NPN will work in + * HTTP/2 and absolutely require buffers 16kB or larger. + */ +#ifdef USE_OPENSSL + if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) { +#ifdef OPENSSL_NPN_NEGOTIATED + /* check NPN */ + if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) { + Alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", + curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); + cfgerr++; + } +#endif +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + /* check ALPN */ + if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) { + Alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", + curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); + cfgerr++; + } +#endif + } /* HTTP && bufsize < 16384 */ +#endif + if (!bind_conf->bind_proc) continue;