Hi,
Am 07.08.2016 um 13:35 schrieb Matthias Fechner:
I think the only possibilty whould then to define several backends on
different ports and define there the h2c or h2 in the frontend
configuration of nginx.
Yes, because otherwise you have a problem on the nginx configuration as
well:
you can either configure a port with ssl/tls or not. HTTP/2 or not, the
port is either encrypted or it isn't.
To check if for the TLS connection it is a h2 enabled client I can use:
acl http2 ssl_fc_alpn -i h2
This only works if you terminate SSL on haproxy itself. It doesn't work
for a transparent TLS setup [1] . We don't have a ALPN fetcher for tcp
mode currently (but it would be badly needed, imho).
But, I'm not sure why this would be necessary in your case. If the
request comes in on port 443, you know its encrypted. If the request
come in on port 80, the request is not encrypted. Just use the same
logic on the backends as well.
Is there a similar check for the not TLS connection I can use?
h2c is not TLS, so the client doesn't connect to port 443, but port 80.
So you have that information already on the proxy. But really no browser
does this anyway.
Regards,
Lukas
[1]
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.3.4-ssl_fc_alpn
