From 20e125b4c5995c72994838171a3fd1091f7293e5 Mon Sep 17 00:00:00 2001
From: Joao Morais <jcmoraisjr@gmail.com>
Date: Sun, 16 Feb 2020 10:18:41 -0300
Subject: [PATCH] fix TLS handshake on backend

A secure h2 connection to the backend was broken due to the missing `alpn` keyword. The protocol was correctly configured as `h2` but the TLS handshake was using the default alpn config which is `http1.1`.
---
 pkg/haproxy/instance_test.go             | 15 ++++++++++++++-
 rootfs/etc/haproxy/template/haproxy.tmpl |  4 +++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pkg/haproxy/instance_test.go b/pkg/haproxy/instance_test.go
index 48cc28f97..1dbf7827e 100644
--- a/pkg/haproxy/instance_test.go
+++ b/pkg/haproxy/instance_test.go
@@ -379,13 +379,26 @@ func TestBackends(t *testing.T) {
 			},
 			srvsuffix: "ssl verify required ca-file /var/haproxy/ssl/ca.pem crl-file /var/haproxy/ssl/crl.pem",
 		},
+		{
+			doconfig: func(g *hatypes.Global, h *hatypes.Host, b *hatypes.Backend) {
+				b.Server.Protocol = "h2"
+			},
+			srvsuffix: "proto h2",
+		},
+		{
+			doconfig: func(g *hatypes.Global, h *hatypes.Host, b *hatypes.Backend) {
+				b.Server.Protocol = "h2"
+				b.Server.Secure = true
+			},
+			srvsuffix: "proto h2 alpn h2 ssl verify none",
+		},
 		{
 			doconfig: func(g *hatypes.Global, h *hatypes.Host, b *hatypes.Backend) {
 				b.Server.Protocol = "h2"
 				b.Server.Secure = true
 				b.Server.CAFilename = "/var/haproxy/ssl/ca.pem"
 			},
-			srvsuffix: "proto h2 ssl verify required ca-file /var/haproxy/ssl/ca.pem",
+			srvsuffix: "proto h2 alpn h2 ssl verify required ca-file /var/haproxy/ssl/ca.pem",
 		},
 		{
 			doconfig: func(g *hatypes.Global, h *hatypes.Host, b *hatypes.Backend) {
diff --git a/rootfs/etc/haproxy/template/haproxy.tmpl b/rootfs/etc/haproxy/template/haproxy.tmpl
index b5d6b4e73..032965afb 100644
--- a/rootfs/etc/haproxy/template/haproxy.tmpl
+++ b/rootfs/etc/haproxy/template/haproxy.tmpl
@@ -533,7 +533,9 @@ backend {{ $backend.ID }}
 {{- define "backend" }}
     {{- $backend := .p1 }}
     {{- $server := $backend.Server }}
-    {{- if eq $server.Protocol "h2" }} proto h2{{ end }}
+    {{- if eq $server.Protocol "h2" }} proto h2
+        {{- if $server.Secure }} alpn h2{{ end }}
+    {{- end }}
     {{- if $server.MaxConn }} maxconn {{ $server.MaxConn }}{{ end }}
     {{- if $server.MaxQueue }} maxqueue {{ $server.MaxQueue }}{{ end }}
     {{- if $server.Secure }} ssl