I suggest just using a self-signed cert for your LB<->appserver and disabling cert-checking in your LB. Should be relatively straightforward; you can even have your appserver generate a cert on startup, so there's less messing around with files required.
It'll give you http2, and also cheaply protects you from passive eavesdropping. If you don't trust your network (e.g. your traffic is going over the internet), you can setup a private CA to also protect you from active eavesdroppers and/or tamperers; cfssl makes this relatively straightforward, you just need to create some JSON files. See https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/ for copy-pastable examples. My friend and I have used the exact same JSON from that blogpost in a very similar circumstance to the one you describe, and it was maybe 20 minutes of messing around before we had private/public keys for LB and appserver (plus a CA for each side, so that we could support multiple replicas of an instance without them sharing a cert) . On Wednesday, November 15, 2017 at 12:43:49 PM UTC-8, Albert Tedja wrote: > > Thank you for the links. > > I am still somewhat disappointed that the http/2 protocol would enforce a > certain configuration. I understand the necessity of secure connections, > but that's should be left as an option to the developers. > > If browsers want to strictly use TLS, that's fine because it's consumer > facing, but at least Go should enable http/2 over non-TLS. We are engineers > here, we should know the difference. > > > On Wednesday, November 15, 2017 at 12:05:41 PM UTC-8, Howard C. Shaw III > wrote: >> >> See >> https://github.com/golang/go/issues/14141 - for discussion of the issue; >> and >> https://github.com/hkwi/h2c for a way to use the in >> stdlib-but-not-linked-together support for h2c (http/2 over non-TLS). >> >> Howard >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
