将HTTP / 2从h2反向代理到h2c [英] Reverse proxying HTTP/2 from h2 to h2c

问题描述

我们有一个能够通过h2c（HTTP / 2明文）提供内容的java web服务器

We have a java web server which is able to serve content over h2c (HTTP/2 clear text)

我们想要反转使用h2建立的代理连接（即，通过SSL的标准HTTP / 2）到h2c中的java服务器。

We would like to reverse proxy connections established using h2 (i.e. standard HTTP/2 over SSL) to the java server in h2c.

在nginx上启用HTTP / 2非常简单，处理传入的h2连接工作正常。

Enabling HTTP/2 on nginx is simple enough and handling incoming h2 connections works fine.

我们如何告诉nginx使用h2c代替连接而不是http / 1.1？

How do we tell nginx to proxy the connection using h2c rather than http/1.1 ?

注意：非nginx解决方案可能是可接受的

Note: a non-nginx solution may be acceptable

server {
    listen       443 ssl http2 default_server;
    server_name  localhost;

    ssl_certificate      /opt/nginx/certificates/???.pem;
    ssl_certificate_key  /opt/nginx/certificates/???.pk8.key.pem;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        proxy_pass http://localhost:8080/;  ## <---- h2c here rather than http/1.1
    }
}

结论（2016年6月）

这可以使用haproxy使用配置文件来完成，如下所示。

This can be done with haproxy using a configuration file as simple as the one below.

查询（HttpServletRequest） req.getProtocol（）明确返回 HTTP / 2.0

global
tune.ssl.default-dh-param 1024

defaults
timeout connect 10000ms
timeout client 60000ms
timeout server 60000ms

frontend fe_http
mode http
bind *:80
# Redirect to https
redirect scheme https code 301

frontend fe_https
mode tcp
bind *:443 ssl no-sslv3 crt mydomain.pem ciphers TLSv1.2 alpn h2,http/1.1
default_backend be_http

backend be_http
mode tcp
server domain 127.0.0.1:8080

推荐答案

HAProxy 确实支持。

HAProxy可以卸载TLS并转发到后端，说出 h2c 。

HAProxy can offload TLS and forward to a backend that speaks h2c.

有关如何设置此配置的详细信息，请参阅此博文。

Details on how to setup this configuration are available in this blog post.

这篇关于将HTTP / 2从h2反向代理到h2c的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！