Opened 6 years ago

Closed 2 years ago

#1552 closed enhancement (fixed)

No way to use http2 with stream-section

Reported by: FAUSheppy@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.13.x
Keywords: stream, http2 Cc: sheppy@…
uname -a: Linux HOSTNAME 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.12
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.12/debian/debuild-base/nginx-1.13.12=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'


I have a server in a stream section that multiplexes connections to upstreams based on a map-construct:


map $something $map_name{

defaul upstream1;
"somevalue" upstream2;


server unix:/samepath;


listen 443 ssl;
proxy_protocol on;
proxy_pass $map_name;


listen unix:/samepath;



and a server in an http-block:






I cannot enable http2, in the stream section the directive is not allowed (so I can't write it to my top level server listening on 443 as I would intend to, and if i write it to the server in the http-section, I only get a cryptic file that downloads every time i access the website.

Change History (3)

comment:1 by FAUSheppy@…, 6 years ago

It appears to work, if I move the ssl away from the server-block in stream, to the server in http and place an http2 after it but I cannot do that because I need the tls certificate in the map.

comment:2 by Maxim Dounin, 6 years ago

Type: defectenhancement

The stream module is a generic TCP proxy module, it doesn't talk neither HTTP nor HTTP/2, hence there is no "http2" option.

If you want to select a backend depending on whether client announces HTTP/2 support via the ALPN extension, consider using the $ssl_preread_alpn_protocols variable as available in the SSL preread module.

It is not currently possible to configure ALPN protocols for the stream module to negotiate during an SSL handshake. This might be a feature worth adding, so leaving this open as an enahancement for now.

comment:3 by Maxim Dounin, 2 years ago

Resolution: fixed
Status: newclosed

In nginx 1.21.4 (b9e02e9b2f1d, eb6c77e6d55d), the ssl_alpn directive and the $ssl_alpn_protocol variable were introduced in the stream module, making it possible to negotiate appropriate ALPN protocol during an SSL handshake. In particular, it makes it possible to terminate SSL with proper negotiation of HTTP/2 if supported by the client.

Note: See TracTickets for help on using tickets.