Welcome! Log In Create A New Profile

Advanced

SSL stream to HTTP2 server

Posted by Danila Vershinin 
Danila Vershinin
SSL stream to HTTP2 server
September 13, 2018 08:30PM
Hello,

I’m trying to basically use nginx as replacement to hitch (for Varnish).

Request goes like this: browser → nginx (stream SSL) → varnish (HTTP2 on) → backend HTTP

stream {
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
proxy_pass 127.0.0.1:6081;
proxy_protocol on;
}
}

With the above, I’m getting HTTP/1.1 in browser.
When I replace nginx with hitch, I get HTTP/2.

From Hitch docs: "Hitch will transmit the selected protocol as part of its PROXY header” Does nginx have same capability?

In general, is nginx capable of being SSL terminator for HTTP/2 backends using TCP streams? (while delivering HTTP/2 to supporting clients). I’m interested in using TCP streams since only those will allow use of PROXY protocol to upstream.

Best Regards,
Danila

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: SSL stream to HTTP2 server
September 13, 2018 08:50PM
Hello!

On Thu, Sep 13, 2018 at 09:26:31PM +0300, Danila Vershinin wrote:

> Hello,
>
> I’m trying to basically use nginx as replacement to hitch (for Varnish).
>
> Request goes like this: browser → nginx (stream SSL) → varnish (HTTP2 on) → backend HTTP
>
> stream {
> server {
> listen 443 ssl;
> ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
> proxy_pass 127.0.0.1:6081;
> proxy_protocol on;
> }
> }
>
> With the above, I’m getting HTTP/1.1 in browser.
> When I replace nginx with hitch, I get HTTP/2.
>
> From Hitch docs: "Hitch will transmit the selected protocol as part of its PROXY header” Does nginx have same capability?
>
> In general, is nginx capable of being SSL terminator for HTTP/2 backends using TCP streams? (while delivering HTTP/2 to supporting clients). I’m interested in using TCP streams since only those will allow use of PROXY protocol to upstream.

Currently no, as stream module in nginx cannot be configured to
choose a parituclar ALPN protocol when terminating SSL.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Danila Vershinin
Re: SSL stream to HTTP2 server
September 13, 2018 08:50PM
Hi,

Are the any plans to add this feature?
If one has less software to run stuff, and if hitch can be avoided in some use cases, I think that would be a plus.

Thanks for you answer.

Best Regards,
Danila

> On 13 Sep 2018, at 21:42, Maxim Dounin <[email protected]> wrote:
>
> Hello!
>
> On Thu, Sep 13, 2018 at 09:26:31PM +0300, Danila Vershinin wrote:
>
>> Hello,
>>
>> I’m trying to basically use nginx as replacement to hitch (for Varnish).
>>
>> Request goes like this: browser → nginx (stream SSL) → varnish (HTTP2 on) → backend HTTP
>>
>> stream {
>> server {
>> listen 443 ssl;
>> ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
>> ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
>> proxy_pass 127.0.0.1:6081;
>> proxy_protocol on;
>> }
>> }
>>
>> With the above, I’m getting HTTP/1.1 in browser.
>> When I replace nginx with hitch, I get HTTP/2.
>>
>> From Hitch docs: "Hitch will transmit the selected protocol as part of its PROXY header” Does nginx have same capability?
>>
>> In general, is nginx capable of being SSL terminator for HTTP/2 backends using TCP streams? (while delivering HTTP/2 to supporting clients). I’m interested in using TCP streams since only those will allow use of PROXY protocol to upstream.
>
> Currently no, as stream module in nginx cannot be configured to
> choose a parituclar ALPN protocol when terminating SSL.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login