undefined | Better HN

0 pointsplatform7y ago0 comments

WRT > end-to-end HTTP/2 [2]

I think this is supported.

We are using NGINX with its core Stream module to receive HTTP/2 encrypted traffic, and loadbalance it (with random or least_conn) algorithms -- to each of our backends.

Traffic stays encrypted end-to-end, and it remains HTTP/2 (because the Stream module works at TCP level, not http so it does not care http/2 or http/1 is used).

It seems that in the ticket [2] that you mentioned, the commenter at the end is asking exactly for this. And that works well.

It is called often 'pass-through proxy'. The article here explains how to set it up

https://serversforhackers.com/c/tcp-load-balancing-with-ngin...

We loose information about the Web-browser's IP address at our backend. For for privacy-enforcement reasons, we actually do not want to have it at our terminating points (our backend apis). And also, if we ever need it -- I thin this can be enabled with the proxy protocol.

0 comments

3 comments · 2 top-level

nickramirez7y ago· 1 in thread

HAProxy can proxy HTTP/2 at Layer 4 or at Layer 7, to get all the HTTP message data and perform routing based on that, etc.

platformOP7y ago

Thx. Yes, NGNIX will not be able to balance HTTP/2 traffic based on HTTP headers. But HAProxy 2.0 can.

In our case, we are not un-encrypting at the load balancer, so we cannot see the HTTP headers anyway. Instead we use NGINX to load-balance based on TCP-level info.

wtarreau7y ago

Thus it's just a plain TCP proxy and cannot route the traffic intelligently (based on Host or path) nor cache it. Following the same principle it could be said that haproxy has been supporting end-to-end H2 since version 1.0 long before H2 even existed!

With haproxy you can combine any set of H1/H2 on any side (protocol translation). It can even dynamically choose H1 or H2 depending on the negotiated ALPN the server presents, just like a browser does!

j / k navigate · click thread line to collapse