HTTP2 support

[khteh]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

NGINX Ingress controller version: 0.22.0

Kubernetes version (use kubectl version): 1.14.0

Environment:

• Cloud provider or hardware configuration: Thinkpad T580

• OS (e.g. from /etc/os-release): Ubuntu 18.10

• Kernel (e.g. uname -a): Linux khteh-T580 4.18.0-16-generic #17-Ubuntu SMP Fri Feb 8 00:06:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

• Install tools:

• Others:

What happened: Does current nginx ingress controller support HTTP2 with both TCP and TLS?

curl -v --http2 localhost/myapi/myendpoint shows that it is using http/1.1 curl -v --insecure --http2 https://localhost/myapi/myendpoint shows it is using http2

This is in contrast with AWS ALB ingress controller where both TCP and TLS work.

W.r.t https://github.com/kubernetes/ingress-nginx/issues/2189 I have not added the use-http2 annotation. Is it enabled by default?

What you expected to happen: HTTP2 works with both TCP and TLS.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/892

[aledbf]

Closing. NGINX does not support HTTP/1.x and HTTP/2 at the same time on a cleartext (non-TLS) port. That's the reason why it works only when HTTPS is used.

[ThreeFx]

Has there been any development regarding this issue? We would like to terminate TLS before our cluster and route both HTTP/1.1 and HTTP/2 traffic.

[aledbf]

@ThreeFx this is not something we can add. This is an NGINX issue, not the ingress controller.

[ThreeFx]

I understand that, but adding e.g. an http2 option in configuring ingresses is not planned? When terminating TLS before Kubernetes, this doesn't leave us much room for supporting GRPC and HTTP/1.1.

Other than adding two Ingresses (one per protocol) we are out of luck I guess, or do you have any idea how to solve that?

[aledbf]

I understand that, but adding e.g. an http2 option in configuring ingresses is not planned?

HTTP/2 is enabled by default when you terminate TLS in the ingress controller. (Not sure what do you mean) https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-http2

[ThreeFx]

Yes, but we do not terminate TLS at the Ingress level, we terminate it before the HTTP request even hits the cluster. However, we need to be able to route both HTTP/2 and HTTP/1.1 requests in plaintext, something I understand NGINX is incapable of.

Thus the question: How can we get the benefits of routing HTTP/1.1 and HTTP/2? Re-crypting the traffic from our TLS-terminating routers to our backend seems like a waste of CPU cycles, and the only other option I see is configuring two different Ingresses, one with HTTP/2 enabled and one with disabled HTTP/2. Or maybe you have a better idea?

[aledbf]

Or maybe you have a better idea?

No. Your re-encryption idea is the only way. Or you can just expose the service you need without an ingress controller, using a load balancer and terminating TLS at a different level.

[ThreeFx]

Alright, that's a shame... Thanks for the help!

[haslersn]

HTTP/2 is enabled by default when you terminate TLS in the ingress controller.

Could you document that the default is true, please?

[KannadasDpworld]

HI Team, We are facing issues after enabling the http2 in ingress level , Asynchronous calls are not happening.