From: Amaury Denoyelle Date: Fri, 9 Jul 2021 15:14:30 +0000 (+0200) Subject: MINOR: mux_h2: define config to disable h2 websocket support X-Git-Tag: v2.5-dev2~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=befeae88e8c7e2cbc19a63420bfa7d67ec176342;p=thirdparty%2Fhaproxy.git MINOR: mux_h2: define config to disable h2 websocket support Define a new global config statement named "h2-workaround-bogus-websocket-clients". This statement will disable the automatic announce of h2 websocket support as specified in the RFC8441. This can be use to overcome clients which fail to implement the relatively fresh RFC8441. Clients will in his case automatically downgrade to http/1.1 for the websocket tunnel if the haproxy configuration allows it. This feature is relatively simple and can be backported up to 2.4, which saw the introduction of h2 websocket support. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 0d60f8e8e8..b128718cdd 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -982,6 +982,7 @@ The following keywords are supported in the "global" section : - insecure-fork-wanted - insecure-setuid-wanted - issuers-chain-path + - h2-workaround-bogus-websocket-clients - localpeer - log - log-tag @@ -1404,6 +1405,15 @@ issuers-chain-path "issuers-chain-path" directory. All other certificates with the same issuer will share the chain in memory. +h2-workaround-bogus-websocket-clients + This disables the announcement of the support for h2 websockets to clients. + This can be use to overcome clients which have issues when implementing the + relatively fresh RFC8441, such as Firefox 88. To allow clients to + automatically downgrade to http/1.1 for the websocket tunnel, specify h2 + support on the bind line using "alpn" without an explicit "proto" keyword. If + this statement was previously activated, this can be disabled by prefixing + the keyword with "no'. + localpeer Sets the local instance's peer name. It will be ignored if the "-L" command line argument is specified or if used after "peers" section diff --git a/include/haproxy/global-t.h b/include/haproxy/global-t.h index b5ecc553aa..a6bc5e1d6d 100644 --- a/include/haproxy/global-t.h +++ b/include/haproxy/global-t.h @@ -70,6 +70,7 @@ #define GTUNE_FD_ET (1<<18) #define GTUNE_SCHED_LOW_LATENCY (1<<19) #define GTUNE_IDLE_POOL_SHARED (1<<20) +#define GTUNE_DISABLE_H2_WEBSOCKET (1<<21) /* SSL server verify mode */ enum { diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c index f8150d454d..4dc93b68a3 100644 --- a/src/cfgparse-global.c +++ b/src/cfgparse-global.c @@ -128,6 +128,14 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) else global.tune.options |= GTUNE_SET_DUMPABLE; } + else if (strcmp(args[0], "h2-workaround-bogus-websocket-clients") == 0) { /* "no h2-workaround-bogus-websocket-clients" or "h2-workaround-bogus-websocket-clients" */ + if (alertif_too_many_args(0, file, linenum, args, &err_code)) + goto out; + if (kwm == KWM_NO) + global.tune.options &= ~GTUNE_DISABLE_H2_WEBSOCKET; + else + global.tune.options |= GTUNE_DISABLE_H2_WEBSOCKET; + } else if (strcmp(args[0], "insecure-fork-wanted") == 0) { /* "no insecure-fork-wanted" or "insecure-fork-wanted" */ if (alertif_too_many_args(0, file, linenum, args, &err_code)) goto out; diff --git a/src/mux_h2.c b/src/mux_h2.c index 9cb6eba758..fbc79634b6 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -1610,9 +1610,10 @@ static int h2c_send_settings(struct h2c *h2c) chunk_memcat(&buf, "\x00\x02\x00\x00\x00\x00", 6); } - /* rfc 8441 #3 SETTINGS_ENABLE_CONNECT_PROTOCOL=1 - * sent automatically */ - chunk_memcat(&buf, "\x00\x08\x00\x00\x00\x01", 6); + /* rfc 8441 #3 SETTINGS_ENABLE_CONNECT_PROTOCOL=1, + * sent automatically unless disabled in the global config */ + if (!(global.tune.options & GTUNE_DISABLE_H2_WEBSOCKET)) + chunk_memcat(&buf, "\x00\x08\x00\x00\x00\x01", 6); if (h2_settings_header_table_size != 4096) { char str[6] = "\x00\x01"; /* header_table_size */