[PATCH 09 of 14] Proxy: add "proxy_ssl_alpn" directive
Maxim Dounin
mdounin at mdounin.ru
Thu Jul 13 16:29:19 UTC 2017
Hello!
On Thu, Jun 22, 2017 at 01:33:13PM -0700, Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora at google.com>
> # Date 1489621682 25200
> # Wed Mar 15 16:48:02 2017 -0700
> # Node ID 96075d4cd2a6e8bd67caf1d7b78f8e87d757c48d
> # Parent 154ca6c5e62a1931a616e9f2b99ef2553b7c2c8b
> Proxy: add "proxy_ssl_alpn" directive.
>
> ALPN is used here only to indicate which version of the HTTP protocol
> is going to be used and we doesn't verify that upstream agreed to it.
>
> Please note that upstream is allowed to reject SSL connection with a
> fatal "no_application_protocol" alert if it doesn't support it.
Looking at this patch again in the HTTP/2-to-upstreams series
context, I don't see how it adds any value.
Using ALPN doesn't seem to be needed when working with normal
HTTP. On the other hand, we probably should use ALPN
automatically when connecting to a HTTP/2 backend over SSL, as per
RFC7540 (https://tools.ietf.org/html/rfc7540#section-3.4,
"implementations that support HTTP/2 over TLS MUST use protocol
negotiation in TLS"). Requiring a user to use an additional
option looks strange, not to mention it is non-compliant.
[...]
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list