[PATCH 09 of 14] Proxy: add "proxy_ssl_alpn" directive

Maxim Dounin mdounin at mdounin.ru
Thu Jul 13 16:29:19 UTC 2017


On Thu, Jun 22, 2017 at 01:33:13PM -0700, Piotr Sikora via nginx-devel wrote:

> # HG changeset patch
> # User Piotr Sikora <piotrsikora at google.com>
> # Date 1489621682 25200
> #      Wed Mar 15 16:48:02 2017 -0700
> # Node ID 96075d4cd2a6e8bd67caf1d7b78f8e87d757c48d
> # Parent  154ca6c5e62a1931a616e9f2b99ef2553b7c2c8b
> Proxy: add "proxy_ssl_alpn" directive.
> ALPN is used here only to indicate which version of the HTTP protocol
> is going to be used and we doesn't verify that upstream agreed to it.
> Please note that upstream is allowed to reject SSL connection with a
> fatal "no_application_protocol" alert if it doesn't support it.

Looking at this patch again in the HTTP/2-to-upstreams series 
context, I don't see how it adds any value.

Using ALPN doesn't seem to be needed when working with normal 
HTTP.  On the other hand, we probably should use ALPN 
automatically when connecting to a HTTP/2 backend over SSL, as per 
RFC7540 (https://tools.ietf.org/html/rfc7540#section-3.4, 
"implementations that support HTTP/2 over TLS MUST use protocol 
negotiation in TLS").  Requiring a user to use an additional 
option looks strange, not to mention it is non-compliant.


Maxim Dounin

More information about the nginx-devel mailing list