Willy,
Am 11.09.20 um 09:42 schrieb Willy Tarreau:
> On Fri, Sep 11, 2020 at 09:02:57AM +0200, Tim Düsterhus wrote:
>> According to the article performing a h2c upgrade via TLS is not valid
>> according to the spec. HAProxy implements the H2 spec.
>
> "according to the article" :-) There's no such mention in the spec
> itself from what I remember, it's just that it's usually pointless,
> but there may be a lot of situations where it's considered better to
> forward an upgradable connection over TLS to the next intermediary
> because the intermediary network is not safe.
I might misunderstand it, but I'd say that RFC 7540#3.3 specifically
disallows h2c for TLS:
> HTTP/2 over TLS uses the "h2" protocol identifier. The "h2c"
> protocol identifier MUST NOT be sent by a client or selected by a
> server; the "h2c" protocol identifier describes a protocol that does
> not use TLS.
-
>> Question 1: Should HAProxy reject requests that set Upgrade: h2c over
>> TLS? I think it should. Basically the following rule should be applied
>> automatically to my understanding.
>>
>> http-request deny deny_status 400 if { req.hdr(upgrade) h2c } { ssl_fc }
>
> No I disagree. Let's say you have an h2c client on datacenter 1 and
> an h2c server on datacenter 2. This rule would prevent you from using
> the local haproxy to secure the connection, while providing zero benefit.
If I just want to secure the connection I would use 'mode tcp' where
HAProxy is a dumb pipe and this rule would not apply.
> By the way, it's fun to see that a discussion started a few days ago
> regarding the uselessness of h2c and its removal from the next H2 spec
> because "nobody implemented it yet" :-) And actually the guy had to
> implement its own server to find a complying one.
I believe nginx can do h2c.
Best regards
Tim Düsterhus
