HTTP2 support

[Igortorrente]

I would like to integrate cockpit with the rest of my infrastructure that uses http2.

Thanks!

[martinpitt]

So do we.. This is a long-term goal of ours, to rewrite cockpit-ws, and simplify its architecture in the meantime. But just to set expectations, we are talking years here -- this is a giant task.

[martinpitt]

No concrete schedule yet, but there's finally a plan on the horizon for rewriting cockpit-ws in Rust or Python using a standard webserver library, and http2 is definitively a crucial feature.

[Igortorrente]

Very nice. @martinpitt thank you for the update!

[viniciusferrao]

No concrete schedule yet, but there's finally a plan on the horizon for rewriting cockpit-ws in Rust or Python using a standard webserver library, and http2 is definitively a crucial feature.

Is that a good idea @martinpitt? Just rewriting in Rust for the sake of rewrite is a thing now but do this add benefits? It will take a lot of work to stay in the same point delaying more features to Cockpit.

Cockpit is awesome and there's a lot of room for improvement, but wasn't this a waste of resources? cockpit-ws runs as a daemon today and it works fine. Also there's a lot of common code as I could see with other parts of Cockpit, like the D-Bus integration.

The software is already written in basically three languages: C, JavaScript and Python. Adding another one will add more complexity to the code.

I mean, if that's only to provide support for things like HTTP2, this problem can be simply circumvent putting a reverse proxy in front of cockpit-ws. FreeIPA does something similar with Apache by default. Cockpit can provide premade .conf files for that.

As for the requirements of @Igortorrente just install nginx add a proxy reverse rule, add TLS certificates, HTTP2, restrict the Cockpit port to localhost via firewalld and you be good to go. It will achieve what you want right now.

[martinpitt]

@viniciusferrao : It will be beneficial because cockpit-ws security-wise is by far the weakest bit in cockpit, and we haven't done much to it because it's so hard to develop.

But it won't be an one-to-one rewrite, if/when we do it, we start with a complete redesign and massive simplification. We first need to sit down and analyze what the current ws does (roughly: the actual http part, authentication and session launch, and speaking the cockpit protocol between browser and bridge). We already split out the TLS/reverse proxy part a while ago (cockpit-tls). The http server is the bit which we desperately want to get rid of, using actix-web or starlette. We already have a Python implementation of the cockpit protocol in the Python bridge, so what remains is the auth bits. A few months ago I was doodling around for two hours and ended up with an useful cockpit webserver (but without authentication) in just three pages of Python.

But we actually want to go further, and avoid the session multiplexing as far as possible. We really like how the Client or cockpit-desktop run the webserver inside the user session, and we should see if we can split the functionality to achieve that.

I.e. in the end we want to end up with something very small, robust, and secure. I do think it's worth to at least spend a week discussing and prototyping this.