On Wed, Jun 24, 2015 at 03:08:18PM -0600, Shawn Heisey wrote: > On 6/24/2015 1:23 PM, Willy Tarreau wrote: > > Thus my first goal with HTTP/2 in haproxy really is to make it a > > solid H2->H1 gateway in order to provide a seamless migration to H2 > > to everyone, just like haproxy was massively used to provide IPv6 > > connectivity for the last IPv6 day. > > > > I'll still focus on H2 on the backend but more as a longterm goal, to > > help making architectural choices when needed, but I don't see this as > > a benefit for now. It will probably be one when servers start to exploit > > server push, which could be a reason for having H2 on the server side. > > But that's not urgent in my opinion. > > Awesome. It sounds like your plans line up perfectly with what I had > envisioned. > > I think that TLS is a separate discussion. I assume that because the > final spec makes it optional, haproxy will not enforce it on the back > end, in the http/2 client code. I'm curious what you think about it > being optional on the front end.
I want to support it since it can be useful for applications making use of H2 without the computing power for TLS (IoT will be even more widespread when we have H2 in haproxy). Also it will make it possible to place haproxy behind a CDN which is compatible with the clear-text mode for people who don't want to spend all their CPU cycles encrypting video but who still want to benefit from the multiplexed connections with the CDN. But it will probably arrive after the TLS version since it will require extra steps to take in the connection setups. > I heard that Mozilla and Google have > both stated that they will require TLS for http/2. I wonder whether > Firefox and Chrome will be forced by industry pressure to make it optional. Yes I know and that's really sad. They think it's a way to push TLS everywhere because they believe that TLS solves confidentiality issues, which is totally wrong since 100% of the confidentiality issues already happen over TLS from malware running in the browser. Indeed, nobody connects to gmail/paypal/their bank or whatever over cleartext since that's not even possible! I guess it's the easy way for browser developers to steer the projectors away from their products when it comes to privacy issues and to try to make people believe they happen in the network. The sad thing is that it makes the situation worse because it forces proxies to start to decrypt TLS for basic protection while it was not needed in the past, so nobody's even protected anymore by TLS as soon as they use a proxy. Hint: if you bought your smartphone from your cell phone operator, verify in the list of root certs if there is one that belongs to your operator, it's quite likely that they'll have to decrypt your traffic in order to provide caching to save bandwidth and reduce your page load time, or simply to apply parental control to protect your kids. Regards, Willy
