ctubbsii commented on PR #4982: URL: https://github.com/apache/accumulo/pull/4982#issuecomment-2418063534
> I think there is still a case for HTTP/2 without TLS, even when used with a browser. That case is when SSL termination is done at some proxy, with only http being used behind the proxy. If we still end up needing to do this, then we might need/want to account for this case. My understanding is, based on everything I've read, that going through a proxy is specifically the case where HTTP/2 without TLS (h2c) tends to break, and why it's necessary to use only TLS with HTTP/2 for a passthrough proxy (using HTTP CONNECT). My understanding is further that a TLS terminating proxy would necessarily request HTTP/1.1 plaintext, or HTTP/1.1 or HTTP/2 over TLS, depending if it supports TLS termination on both sides, but never HTTP/2 without TLS (h2c). So, if we want to consider the TLS passthrough proxy case, then we don't need to support non-TLS, and can stick to just HTTP/2 over TLS. If we want to consider the TLS terminating proxy case, then it *might* support HTTP/2 over TLS if it's new enough, but it definitely would support HTTP/1.1 without TLS. So even in that case, we don't need to support HTTP/2 without TLS (h2c). I'm not sure the exact situation you're thinking about, but I think it's worth noting that we don't do anything special to support either kinds of proxies today. If we want to continue to support the same kinds of use cases, we just need to continue to support HTTP/1.1 without TLS for the TLS terminating proxy case, and HTTP/2 with TLS would suffice for the TLS passthrough case, since the TCP connection is what is proxied via HTTP CONNECT, at a lower layer than the TLS and HTTP protocols. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
