search

dOpensource / dsiprouter

UI Interface for implementing Kamailio to provide PBX Hosting and SIP Trunking Services
https://dsiprouter.org
Apache License 2.0
196 stars 104 forks source link

HTTP Version Mismatch When Behind AWS LB #342

Open devopsec opened 3 years ago

devopsec commented 3 years ago

When dSIPRouter is setup behind an AWS load balancer the HTTP versions between the AWS LB and Nginx are mismatched.
We use HTTP/2 by default for Nginx but the AWS LB uses HTTP/2 client-side and converts to HTTP/1.1 on the load balancing side of the request.

This can be a fixed in one of 2 ways:

  1. Add another port we listen on for HTTP/1.1 traffic
  2. Allow user to configure the HTTP version on install

I am in favor of 1 as the user would not be required to have any knowledge about how their load balancer works and they would just try the other port if it fails.
Such as 5001, which would allow users that use the AWS LB or other HTTP/1.x clients to connect as well.

If we went with option 2 that would require the user to have more in depth knowledge about their network and if they are hosting on another platform this may not be a given for them.

devopsec commented 3 years ago

Just to be clear the workaround until this is implemented is to change the HTTP version in /etc/nginx/sites-available/dsiprouter.conf

From:

    listen DSIP_PORT ssl http2 so_keepalive=on;
    listen [::]:DSIP_PORT ssl http2 so_keepalive=on;

To:

    listen DSIP_PORT ssl so_keepalive=on;
    listen [::]:DSIP_PORT ssl so_keepalive=on;

Then restart Nginx:

systemctl restart nginx
devopsec commented 3 years ago

Looking into this further I believe there is some more nuance we are missing and the AWS LB is doing something extra.
This becomes apparent when simply querying the nginx server with different versions of HTTP on the client-side: 

DSIP_IP=138.197.130.245
curl -kL --http0.9 https://$DSIP_IP:5000/
curl -kL --http1.0 https://$DSIP_IP:5000/
curl -kL --http1.1 https://$DSIP_IP:5000/
curl -kL --http2 https://$DSIP_IP:5000/

All the queries are resolved just fine, no errors from nginx.
This leads me to believe that the AWS LB is trying HTTP/2.0 first for some reason or is using some obscure headers we did not anticipate.
Needs more testing........

devopsec commented 9 months ago

The nginx docs are kind of misleading on how to enable multiple versions of HTTP..
Ideally we would support HTTP1.1/2/3 & Quic all on the same port.
I'll reach out for some advice on this, maybe someone in the community has already implemented this and would be willing to help out here.