Skip to content

Enable prior-knowledge h2c for cleartext origins#1698

Open
Omoeba wants to merge 1 commit into
cloudflare:masterfrom
Omoeba:feat/h2c-support
Open

Enable prior-knowledge h2c for cleartext origins#1698
Omoeba wants to merge 1 commit into
cloudflare:masterfrom
Omoeba:feat/h2c-support

Conversation

@Omoeba

@Omoeba Omoeba commented Jul 16, 2026

Copy link
Copy Markdown

Summary

Enable HTTP/2 to cleartext origins by reusing the existing http2Origin setting.

Implements #1304

When enabled:

  • http:// origins use strict prior-knowledge h2c.
  • unix: origins use strict prior-knowledge h2c over the Unix socket.
  • https:// and unix+tls: continue negotiating HTTP/2 through TLS ALPN.
  • Explicit ws:// origins retain their existing HTTP/1.1 Upgrade behavior.

This adds no configuration fields, public interfaces, or dependencies.

Implementation

  • Classify plain HTTP and non-TLS Unix services as h2c origins.
  • Configure http.Transport.Protocols with only UnencryptedHTTP2 for h2c.
  • Keep ForceAttemptHTTP2 for TLS origins so existing ALPN negotiation is preserved.
  • Retain the existing transport, proxy handling, Unix dialer, pooling, timeouts, CA configuration, and SNI behavior.
  • Update the http2Origin configuration comment and CLI help.

Behavior

Origin http2Origin Protocol
http:// false HTTP/1.1
http:// true Prior-knowledge h2c
https:// true HTTP/2 negotiated through ALPN
unix: true Prior-knowledge h2c over Unix socket
unix+tls: true HTTP/2 negotiated through ALPN
ws:// true HTTP/1.1 Upgrade

Compatibility

This changes the behavior of existing http2Origin: true configurations using http:// or unix: origins. These configurations previously used HTTP/1.1 in practice; they will now require the origin to support prior-knowledge h2c. The actual risk of breakage is likely very small, as http2Origin: true is a non-default option.

Cleartext mode intentionally has no HTTP/1.1 fallback. Retrying after a failed h2c request could require replaying streaming or non-idempotent request bodies.

A global http2Origin: true applies to every cleartext ingress rule. An explicit per-rule false remains the opt-out.

Explicit ws:// services remain on HTTP/1.1. WebSocket Upgrade requests routed through an http:// or unix: service with http2Origin: true are not supported because those services now require HTTP/2.

Tests

Added coverage for:

  • TCP h2c requests reaching the origin as HTTP/2.
  • HTTP/1.1 when http2Origin is disabled.
  • Strict failure against an HTTP/1-only cleartext origin.
  • Existing TLS HTTP/2 behavior.
  • Explicit ws:// HTTP/1.1 Upgrade behavior.
  • WebSocket Upgrade failure through a strict h2c service.
  • h2c over a Unix socket.
  • Origin classification for HTTP, HTTPS, WS, WSS, Unix, Unix+TLS, nil URLs, and Hello World services.

Validation performed:

  • go test ./ingress
  • go test -race ./ingress
  • make test
  • Patch-scoped lint checks

Follow-ups

External documentation should explain that cleartext http2Origin requires prior-knowledge h2c and has no HTTP/1.1 fallback.

Currently, the http2Origin setting on the dashboard is under TLS. It should be moved under HTTP Settings instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant