Opened 6 years ago
Closed 3 years ago
#1552 closed enhancement (fixed)
No way to use http2 with stream-section
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.13.x |
Keywords: | stream, http2 | Cc: | sheppy@… |
uname -a: | Linux HOSTNAME 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.13.12
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.12/debian/debuild-base/nginx-1.13.12=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
I have a server in a stream section that multiplexes connections to upstreams based on a map-construct:
stream{
map $something $map_name{
defaul upstream1;
"somevalue" upstream2;
}
upstream1{
server unix:/samepath;
}
...
server{
listen 443 ssl;
proxy_protocol on;
proxy_pass $map_name;
}
server{
listen unix:/samepath;
proxy_pass 127.0.0.1:8001;
}
}
and a server in an http-block:
http{
...
server{
listen 127.0.0.1:8001;
...
}
}
I cannot enable http2, in the stream section the directive is not allowed (so I can't write it to my top level server listening on 443 as I would intend to, and if i write it to the server in the http-section, I only get a cryptic file that downloads every time i access the website.
Change History (3)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
Type: | defect → enhancement |
---|
The stream module is a generic TCP proxy module, it doesn't talk neither HTTP nor HTTP/2, hence there is no "http2" option.
If you want to select a backend depending on whether client announces HTTP/2 support via the ALPN extension, consider using the $ssl_preread_alpn_protocols variable as available in the SSL preread module.
It is not currently possible to configure ALPN protocols for the stream module to negotiate during an SSL handshake. This might be a feature worth adding, so leaving this open as an enahancement for now.
comment:3 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
In nginx 1.21.4 (b9e02e9b2f1d, eb6c77e6d55d), the ssl_alpn directive and the $ssl_alpn_protocol variable were introduced in the stream module, making it possible to negotiate appropriate ALPN protocol during an SSL handshake. In particular, it makes it possible to terminate SSL with proper negotiation of HTTP/2 if supported by the client.
It appears to work, if I move the ssl away from the server-block in stream, to the server in http and place an http2 after it but I cannot do that because I need the tls certificate in the map.