SSL stream to HTTP2 server

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL stream to HTTP2 server

Danila Vershinin
Hello,

I’m trying to basically use nginx as replacement to hitch (for Varnish).

Request goes like this: browser → nginx (stream SSL) → varnish (HTTP2 on) → backend HTTP

stream {
    server {
listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        proxy_pass 127.0.0.1:6081;
        proxy_protocol on;
    }
}

With the above, I’m getting HTTP/1.1 in browser. 
When I replace nginx with hitch, I get HTTP/2.

From Hitch docs: "Hitch will transmit the selected protocol as part of its PROXY header” Does nginx have same capability?

In general, is nginx capable of being SSL terminator for HTTP/2 backends using TCP streams? (while delivering HTTP/2 to supporting clients). I’m interested in using TCP streams since only those will allow use of PROXY protocol to upstream.

Best Regards,
Danila


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL stream to HTTP2 server

Maxim Dounin
Hello!

On Thu, Sep 13, 2018 at 09:26:31PM +0300, Danila Vershinin wrote:

> Hello,
>
> I’m trying to basically use nginx as replacement to hitch (for Varnish).
>
> Request goes like this: browser → nginx (stream SSL) → varnish (HTTP2 on) → backend HTTP
>
> stream {
>     server {
> listen 443 ssl;
>         ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
>         ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
>         proxy_pass 127.0.0.1:6081;
>         proxy_protocol on;
>     }
> }
>
> With the above, I’m getting HTTP/1.1 in browser.
> When I replace nginx with hitch, I get HTTP/2.
>
> From Hitch docs: "Hitch will transmit the selected protocol as part of its PROXY header” Does nginx have same capability?
>
> In general, is nginx capable of being SSL terminator for HTTP/2 backends using TCP streams? (while delivering HTTP/2 to supporting clients). I’m interested in using TCP streams since only those will allow use of PROXY protocol to upstream.

Currently no, as stream module in nginx cannot be configured to
choose a parituclar ALPN protocol when terminating SSL.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: SSL stream to HTTP2 server

Danila Vershinin
Hi,

Are the any plans to add this feature?
If one has less software to run stuff, and if hitch can be avoided in some use cases, I think that would be a plus.

Thanks for you answer.

Best Regards,
Danila

On 13 Sep 2018, at 21:42, Maxim Dounin <[hidden email]> wrote:

Hello!

On Thu, Sep 13, 2018 at 09:26:31PM +0300, Danila Vershinin wrote:

Hello,

I’m trying to basically use nginx as replacement to hitch (for Varnish).

Request goes like this: browser → nginx (stream SSL) → varnish (HTTP2 on) → backend HTTP

stream {
   server {
listen 443 ssl;
       ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
       proxy_pass 127.0.0.1:6081;
       proxy_protocol on;
   }
}

With the above, I’m getting HTTP/1.1 in browser.
When I replace nginx with hitch, I get HTTP/2.

From Hitch docs: "Hitch will transmit the selected protocol as part of its PROXY header” Does nginx have same capability?

In general, is nginx capable of being SSL terminator for HTTP/2 backends using TCP streams? (while delivering HTTP/2 to supporting clients). I’m interested in using TCP streams since only those will allow use of PROXY protocol to upstream.

Currently no, as stream module in nginx cannot be configured to
choose a parituclar ALPN protocol when terminating SSL.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

signature.asc (849 bytes) Download Attachment