I have various nginx server and recently I note that by default response these servers responses using the HTTP/2 version of protocol.
I don't have configured the http2 parameter in nginx.conf.
Is this the right behavior?
No, that is not the default.
If you observe HTTP2 despite not configuring it in NGINX, you likely have a CDN in front of it, e.g. Cloudflare.
Related
Here is the situation:
Our client wants to back support some old ios mac systems, which the network lib it used does not support ALPN. Our Server is set up only to accept gRPC requests, so there is no need for the server to accept HTTP1.1 requests.
So how do I disable Nginx to accept HTTP1.1 request and only enable HTTP2 support and skip the ALPN?
I tried to make Nginx defaults to support http2 but it still involves the ALPN process.
it seems nginx is do http2 based on ALPN so there is no walkaround for that.
Our customer request http2 only service because other product they use are using gRPC with envoy proxy. Envoy seems to have the ability to provide http2 only service without alpn, but it is subject to find out why ( as the document does not specify it clearly)
Suppose I want to use a combination of NGinX (probably another since it doesn't proxy HTTP/2 requests) and Hypercorn. As both can handle SSL certificate files, I wonder who is the best suited to do this for an HTTPS request. It is important to me that Hypercorn could listen to 443 port and I'm not sure it can do that without specifying certfile and keyfile parameters.
Well, that depend what you want to do.
The simpliest solution is to configure both to use SSL.
Nginx will receive the request, decipher it, process it, send it to Hypercom on port 443 as an HTTPS Client. Hypercom will get the request as any normal HTTPS client.
If your goal is security : go with both
If your goal is just to not
have hypercom expose directly, you can configure it to not use SSL
Nginx support by default proxying request to an HTTPS upstream so that's the best solution I think. However, you might need to play with setting http-header for hypercom to correctly understand who's the client by playing with X-Forwarded-For, X-Forwarded-Host and any headers that might be needed by Hypercom.
I have been looking for this for a while now. Still not sure if Envoy and Nginx does all the TLS stuff for a web-gRPC client.
In my case, my Nginx config works well with gRPC client and server. However, it is not working for web-gRPC client.
Nginx is no longer being actively supported for grpc-web. The default proxy for grpc-web is Envoy. You should be able to set up TLS by setting some config with the envoy.yaml file. In particularly, look under the 'tls_context' section.
I want to set up my web page to make HTTP2 requests to a Jetty API server. I read that browsers will only use the "h2" protocol, that is, HTTP2 with TLS. However, my setup has a kubernetes ingress performing SSL termination, and proxying a cleartext request back to the Jetty server. The dilemma is that I don't think I want to negotiate an "h2" connection using Jetty, because that would require an SSL context on that server.
My question is, will this setup allow a browser to perform HTTP2 requests? If so, what do I need to enable on the Jetty server in order to properly serve HTTP2 requests?
You can configure Jetty to serve clear-text HTTP/2 (also known as h2c), so that your setup will be:
browser -- h2 --> kubernetes tls termination -- h2c --> Jetty
In order to setup Jetty with clear-text HTTP/2, you just need to enable the http2c module if you are using Jetty as a standalone server, see http://www.eclipse.org/jetty/documentation/current/http2-enabling.html.
Alternatively, if you're using Jetty embedded you can look at this example.
I have this install from this guide https://www.linode.com/docs/websites/varnish/use-varnish-and-nginx-to-serve-wordpress-over-ssl-and-http-on-debian-8
is there any advantage for using proxoy protocol? from
https://info.varnish-software.com/blog/five-steps-to-secure-varnish-with-hitch-and-lets-encrypt
to this setup (I have varnish 5)
if so, what is the modification needed for the setup in the linode link above?
best.
To begin with, it will not be possible to use PROXY protocol in the linked setup.
Nginx supports PROXY protocol only on the client side (i.e. when there is another proxy forwarding requests to it). It doesn't support PROXY protocol with proxy_pass, where it would make more sense for Varnish + Nginx SSL setup. Sorry about that.