Open abstractj opened 4 years ago
Nuru
commented
4 years ago I have seen issues of POSTs using TLS and HTTP2 generating Status 500 errors on Gatekeeper. They do appear to be go clients making the POSTs, but I have not yet been able to produce a minimal test case.
akkie
commented
4 years ago I'm the original creator of this issue. Please ping me if further information is required.
lyndon160
commented
4 years ago Does Gatekeeper/louketo support gRPC?
Nuru
commented
4 years ago Hit this problem again. What are the plans for HTTP 2.0 and gRPC support in the proxy?
Nuru
commented
4 years ago So, the cause is: https://github.com/louketo/louketo-proxy/blob/9eca196059ee1144aebd4d909589f8c54d710f3d/server.go#L631
combined with https://github.com/golang/go/blob/2bc8d90fa21e9547aeb0f0ae775107dc8e05dc0a/src/net/http/transport.go#L353-L360 which says not to enable HTTP2 if a TLSCLientConfig is set.
Solution appears to be simple: add
ForceAttemptHTTP2: trueto the Transport configuration
What:
I currently have an issue with Gatekeeper and gRPC requests. It seems that Gatekeeper switches the protocol from HTTP2 to HTTP1 when talking with upstream.
I think this issue has to do with: https://github.com/golang/go/issues/21336#issuecomment-320853173
Here is the relevant code: https://github.com/golang/go/blob/c522b2bec9e6186a8efb7ddd221295390638a18e/src/net/http/transport.go#L220 {code:java} if t.TLSClientConfig != nil || t.Dial != nil || t.DialTLS != nil { // Be conservative and don't automatically enable // http2 if they've specified a custom TLS config or // custom dialers. Let them opt-in themselves via // http2.ConfigureTransport so we don't surprise them // by modifying their tls.Config. Issue 14275. return } {code}
If a SSL cert is set, the http.Transport implementation will not automatically enable HTTP2.
Here is the discussion from the forum: https://keycloak.discourse.group/t/does-gatekeeper-proxy-grpc-requests/1606
Reference: