Open wkloucek opened 1 year ago
We should not allow disabling TLS. Http/2, as implemented by all browsers requires it. HTTP/2 without TLS is called H2C and is used eg by grpc.WithInsecure()
. So, while not being without it's use, a proxy like traefik likely does not support H2C anyway (I did not check). See also the explanation by the mailgun team: https://www.mailgun.com/blog/dev-life/http-2-cleartext-h2c-client-example-go/
Traefik can be configured to trust self signed certificates: https://doc.traefik.io/traefik/routing/overview/#insecureskipverify
The correct solution would be to generate proper certificates and tell traefik how to trust it.
Finally, TLS connection negotiation overhead only occurs once, as HTTP/2 then reuses the connection. Which happens less for internal reverse proxy connections.
@aduffeck has looked into this
jfyi the experimental branches from back then live at https://github.com/aduffeck/reva/commits/http2 and https://github.com/aduffeck/ocis/commits/http2.
They use an internal CA for signing and verifying the certificates so there's no need to skip verification. They also turn the remaining internal HTTP traffic into encrypted HTTPS traffic. Unfortunately that decreases overall performance a little, despite the fact that existing HTTPS traffic is HTTP/2 now.
@tbsbdr && @micbar is this still a requirement to support http/2?
Describe the bug
Connections to oCIS without an additional reverse proxy are not using HTTP/2
Steps to reproduce
Steps to reproduce the behavior:
ocis server
curl --http2-prior-knowledge -v https://localhost:9200/config.json -k
Expected behavior
Get a response and see that HTTP/2 is used
Actual behavior
Additional context
Can also be reproduced in the browser.
Our deployment exmaples are using HTTP/2 because we use Traefik as reverse proxy, that does HTTP/2