Enable prior-knowledge h2c for cleartext origins#1698
Open
Omoeba wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Enable HTTP/2 to cleartext origins by reusing the existing
http2Originsetting.Implements #1304
When enabled:
http://origins use strict prior-knowledge h2c.unix:origins use strict prior-knowledge h2c over the Unix socket.https://andunix+tls:continue negotiating HTTP/2 through TLS ALPN.ws://origins retain their existing HTTP/1.1 Upgrade behavior.This adds no configuration fields, public interfaces, or dependencies.
Implementation
http.Transport.Protocolswith onlyUnencryptedHTTP2for h2c.ForceAttemptHTTP2for TLS origins so existing ALPN negotiation is preserved.http2Originconfiguration comment and CLI help.Behavior
http2Originhttp://falsehttp://truehttps://trueunix:trueunix+tls:truews://trueCompatibility
This changes the behavior of existing
http2Origin: trueconfigurations usinghttp://orunix:origins. These configurations previously used HTTP/1.1 in practice; they will now require the origin to support prior-knowledge h2c. The actual risk of breakage is likely very small, ashttp2Origin: trueis a non-default option.Cleartext mode intentionally has no HTTP/1.1 fallback. Retrying after a failed h2c request could require replaying streaming or non-idempotent request bodies.
A global
http2Origin: trueapplies to every cleartext ingress rule. An explicit per-rulefalseremains the opt-out.Explicit
ws://services remain on HTTP/1.1. WebSocket Upgrade requests routed through anhttp://orunix:service withhttp2Origin: trueare not supported because those services now require HTTP/2.Tests
Added coverage for:
http2Originis disabled.ws://HTTP/1.1 Upgrade behavior.Validation performed:
go test ./ingressgo test -race ./ingressmake testFollow-ups
External documentation should explain that cleartext
http2Originrequires prior-knowledge h2c and has no HTTP/1.1 fallback.Currently, the
http2Originsetting on the dashboard is underTLS. It should be moved underHTTP Settingsinstead.