Willy, Am 11.09.20 um 09:42 schrieb Willy Tarreau: > On Fri, Sep 11, 2020 at 09:02:57AM +0200, Tim Düsterhus wrote: >> According to the article performing a h2c upgrade via TLS is not valid >> according to the spec. HAProxy implements the H2 spec. > > "according to the article" :-) There's no such mention in the spec > itself from what I remember, it's just that it's usually pointless, > but there may be a lot of situations where it's considered better to > forward an upgradable connection over TLS to the next intermediary > because the intermediary network is not safe.
I might misunderstand it, but I'd say that RFC 7540#3.3 specifically disallows h2c for TLS: > HTTP/2 over TLS uses the "h2" protocol identifier. The "h2c" > protocol identifier MUST NOT be sent by a client or selected by a > server; the "h2c" protocol identifier describes a protocol that does > not use TLS. - >> Question 1: Should HAProxy reject requests that set Upgrade: h2c over >> TLS? I think it should. Basically the following rule should be applied >> automatically to my understanding. >> >> http-request deny deny_status 400 if { req.hdr(upgrade) h2c } { ssl_fc } > > No I disagree. Let's say you have an h2c client on datacenter 1 and > an h2c server on datacenter 2. This rule would prevent you from using > the local haproxy to secure the connection, while providing zero benefit. If I just want to secure the connection I would use 'mode tcp' where HAProxy is a dumb pipe and this rule would not apply. > By the way, it's fun to see that a discussion started a few days ago > regarding the uselessness of h2c and its removal from the next H2 spec > because "nobody implemented it yet" :-) And actually the guy had to > implement its own server to find a complying one. I believe nginx can do h2c. Best regards Tim Düsterhus