反向代理后面的HTTP/2 [英] HTTP/2 behind reverse proxy
问题描述
到目前为止,所有教程都告诉我,我需要在服务器上启用SSL才能具有HTTP/2支持.
So far all the tutorials tell me that I need to enable SSL on my server to have HTTP/2 support.
在给定的场景中,我们在后端Tomcat/Jetty服务器的前面有nginx,尽管就性能而言,值得在后端上启用HTTP/2,但在那里也必须有HTTPS的要求太夸张了.
In the given scenario, we have nginx in front of the backend Tomcat/Jetty server(s), and even though performance-wise it worth enabling HTTP/2 on the backend, the requirement to have HTTPS there as well seems to be an overkill.
不需要HTTPS来保证安全性(仅暴露nginx),并且从操作角度来看有点麻烦-我们必须将证书添加到运行后端服务器的每个Docker容器中.
HTTPS is not needed security-wise (only nginx is exposed), and is a bit cumbersome from the operational perspective - we'd have to add our certificates to each of the Docker containers that run the backend servers.
是否没有办法始终提供HTTP/2支持(或至少具有类似的性能),并且涉及的设置较少?
Isn't there a way around that provides HTTP/2 support all the way (or at least similar performance), and is less involved to set up?
推荐答案
我们建议的典型设置是放置 HAProxy 在Jetty前面,并配置HAProxy卸载TLS,并配置Jetty讲明文HTTP/2.
The typical setup that we recommend is to put HAProxy in front of Jetty, and configure HAProxy to offload TLS and Jetty to speak clear-text HTTP/2.
通过此设置,您将获得有效的TLS卸载(由HAProxy通过OpenSSL完成)的好处,并获得完整的端到端HTTP/2通信的好处.
With this setup, you get the benefits of an efficient TLS offloading (done by HAProxy via OpenSSL), and you get the benefits of a complete end-to-end HTTP/2 communication.
特别是,后者允许Jetty通过HTTP/2推送内容,如果后端通信是HTTP/1.1,则不可能实现.
In particular, the latter allows for Jetty to push content via HTTP/2, something that won't be possible if the backend communication is HTTP/1.1.
其他好处包括更少的资源使用,更少的转换步骤(无需从HTTP/2转换为HTTP/1.1,反之亦然),完全使用HTTP/2功能(例如从流到应用程序的流重置)的能力. 如果链中存在对HTTP/1.1的转换,那么这些好处都将无效.
Additional benefits include less resource usage, less conversion steps (no need to convert from HTTP/2 to HTTP/1.1 and viceversa), the ability to fully use HTTP/2 features such as stream resetting all the way to the application. None of these benefits will work if there is a translation to HTTP/1.1 in the chain.
如果Nginx仅用作Jetty的反向代理,它不会增加任何好处,并且实际上在减慢您的系统速度,必须将请求转换为HTTP/1.1,并将响应转换回HTTP/2.
If Nginx is only used as a reverse proxy to Jetty, it is not adding any benefit and it is actually slowing down your system, having to convert requests to HTTP/1.1 and responses back to HTTP/2.
HAProxy不会进行任何转换,因此效率更高,并且允许完整的HTTP/2堆栈以及与HTTP/1.1相比所带来的所有好处.
HAProxy does not do any conversion so it's way more efficient, and allows a full HTTP/2 stack with all the benefits that it brings with respect to HTTP/1.1.
这篇关于反向代理后面的HTTP/2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
