Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP2 support #3938

Closed
khteh opened this issue Mar 28, 2019 · 10 comments
Closed

HTTP2 support #3938

khteh opened this issue Mar 28, 2019 · 10 comments

Comments

@khteh
Copy link

khteh commented Mar 28, 2019

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):


Is this a BUG REPORT or FEATURE REQUEST? (choose one):

NGINX Ingress controller version:
0.22.0

Kubernetes version (use kubectl version):
1.14.0

Environment:

What happened:
Does current nginx ingress controller support HTTP2 with both TCP and TLS?

curl -v --http2 localhost/myapi/myendpoint shows that it is using http/1.1
curl -v --insecure --http2 https://localhost/myapi/myendpoint shows it is using http2

This is in contrast with AWS ALB ingress controller where both TCP and TLS work.

W.r.t #2189 I have not added the use-http2 annotation. Is it enabled by default?

What you expected to happen:
HTTP2 works with both TCP and TLS.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
kubernetes-sigs/aws-load-balancer-controller#892

@aledbf
Copy link
Member

aledbf commented Mar 28, 2019

Closing. NGINX does not support HTTP/1.x and HTTP/2 at the same time on a cleartext (non-TLS) port.
That's the reason why it works only when HTTPS is used.

@aledbf aledbf closed this as completed Mar 28, 2019
@ThreeFx
Copy link

ThreeFx commented Aug 22, 2019

Has there been any development regarding this issue? We would like to terminate TLS before our cluster and route both HTTP/1.1 and HTTP/2 traffic.

@aledbf
Copy link
Member

aledbf commented Aug 22, 2019

@ThreeFx this is not something we can add. This is an NGINX issue, not the ingress controller.

@ThreeFx
Copy link

ThreeFx commented Aug 22, 2019

I understand that, but adding e.g. an http2 option in configuring ingresses is not planned? When terminating TLS before Kubernetes, this doesn't leave us much room for supporting GRPC and HTTP/1.1.

Other than adding two Ingresses (one per protocol) we are out of luck I guess, or do you have any idea how to solve that?

@aledbf
Copy link
Member

aledbf commented Aug 22, 2019

I understand that, but adding e.g. an http2 option in configuring ingresses is not planned?

HTTP/2 is enabled by default when you terminate TLS in the ingress controller.
(Not sure what do you mean)
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-http2

@ThreeFx
Copy link

ThreeFx commented Aug 22, 2019

Yes, but we do not terminate TLS at the Ingress level, we terminate it before the HTTP request even hits the cluster. However, we need to be able to route both HTTP/2 and HTTP/1.1 requests in plaintext, something I understand NGINX is incapable of.

Thus the question: How can we get the benefits of routing HTTP/1.1 and HTTP/2? Re-crypting the traffic from our TLS-terminating routers to our backend seems like a waste of CPU cycles, and the only other option I see is configuring two different Ingresses, one with HTTP/2 enabled and one with disabled HTTP/2. Or maybe you have a better idea?

@aledbf
Copy link
Member

aledbf commented Aug 22, 2019

Or maybe you have a better idea?

No. Your re-encryption idea is the only way. Or you can just expose the service you need without an ingress controller, using a load balancer and terminating TLS at a different level.

@ThreeFx
Copy link

ThreeFx commented Aug 22, 2019

Alright, that's a shame... Thanks for the help!

@haslersn
Copy link
Contributor

haslersn commented Feb 5, 2021

HTTP/2 is enabled by default when you terminate TLS in the ingress controller.

Could you document that the default is true, please?

@KannadasDpworld
Copy link

HI Team,
We are facing issues after enabling the http2 in ingress level , Asynchronous calls are not happening.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants