haproxy uses CPU 100% with "option forceclose", alpn http/1.1 and allow-0rtt

Solution Verified - Updated -

Issue

  • haproxy uses CPU 100% with "option forceclose", alpn http/1.1 and allow-0rtt

Sample /etc/haproxy/haproxy.cfg:

global
    debug
    log         /dev/log local2 debug
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    user        haproxy
    group       haproxy
    daemon
    ssl-default-bind-options ssl-min-ver TLSv1.3
    ssl-default-bind-ciphers PROFILE=SYSTEM
    tune.ssl.default-dh-param 2048
defaults
    mode            http
    log             global
    option          httplog
    option          dontlognull
    option forceclose
    option forwardfor       except 127.0.0.0/8
    option          redispatch
    retries         2
    timeout http-request    10s
    timeout queue       1m
    timeout connect     10s
    timeout client      1m
    timeout server      1m
frontend main
    bind *:80
    bind *:443 ssl crt /etc/pki/host-certs/server.pem alpn http/1.1 ssl-min-ver TLSv1.3 allow-0rtt
    default_backend     http-servers
backend http-servers
    balance roundrobin
    option httpchk GET /check HTTP/1.0
    server web1 192.168.122.130:80 check inter 30s

Note: firefox-68.10.0-1.el8_2.x86_64 doesn't cause the issue.

Environment

  • Red Hat Enterprise Linux 8
  • haproxy
  • firefox-68.6.0-1.el8_1.x86_64 or earlier versions

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content