diff options
-rw-r--r-- | modules/caddyhttp/app.go | 10 | ||||
-rw-r--r-- | modules/caddyhttp/reverseproxy/caddyfile.go | 7 | ||||
-rw-r--r-- | modules/caddyhttp/reverseproxy/httptransport.go | 36 | ||||
-rw-r--r-- | modules/caddyhttp/server.go | 11 |
4 files changed, 63 insertions, 1 deletions
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go index 8e7f3ea..f695276 100644 --- a/modules/caddyhttp/app.go +++ b/modules/caddyhttp/app.go @@ -27,6 +27,8 @@ import ( "github.com/caddyserver/caddy/v2/modules/caddytls" "github.com/lucas-clemente/quic-go/http3" "go.uber.org/zap" + "golang.org/x/net/http2" + "golang.org/x/net/http2/h2c" ) func init() { @@ -282,6 +284,14 @@ func (app *App) Start() error { Handler: srv, } + // enable h2c if configured + if srv.AllowH2C { + h2server := &http2.Server{ + IdleTimeout: time.Duration(srv.IdleTimeout), + } + s.Handler = h2c.NewHandler(srv, h2server) + } + for _, lnAddr := range srv.Listen { listenAddr, err := caddy.ParseNetworkAddress(lnAddr) if err != nil { diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go index 9636936..56e2698 100644 --- a/modules/caddyhttp/reverseproxy/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/caddyfile.go @@ -584,6 +584,7 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { // tls_trusted_ca_certs <cert_files...> // keepalive [off|<duration>] // keepalive_idle_conns <max_count> +// versions <versions...> // } // func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { @@ -701,6 +702,12 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { h.KeepAlive.MaxIdleConns = num h.KeepAlive.MaxIdleConnsPerHost = num + case "versions": + h.Versions = d.RemainingArgs() + if len(h.Versions) == 0 { + return d.ArgErr() + } + default: return d.Errf("unrecognized subdirective %s", d.Val()) } diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index 4b5111c..f0fbbd6 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -82,11 +82,16 @@ type HTTPTransport struct { // The size of the read buffer in bytes. ReadBufferSize int `json:"read_buffer_size,omitempty"` - // The versions of HTTP to support. Default: ["1.1", "2"] + // The versions of HTTP to support. As a special case, "h2c" + // can be specified to use H2C (HTTP/2 over Cleartext) to the + // upstream (this feature is experimental and subject to + // change or removal). Default: ["1.1", "2"] Versions []string `json:"versions,omitempty"` // The pre-configured underlying HTTP transport. Transport *http.Transport `json:"-"` + + h2cTransport *http2.Transport } // CaddyModule returns the Caddy module information. @@ -110,6 +115,28 @@ func (h *HTTPTransport) Provision(ctx caddy.Context) error { } h.Transport = rt + // if h2c is enabled, configure its transport (std lib http.Transport + // does not "HTTP/2 over cleartext TCP") + if sliceContains(h.Versions, "h2c") { + // crafting our own http2.Transport doesn't allow us to utilize + // most of the customizations/preferences on the http.Transport, + // because, for some reason, only http2.ConfigureTransport() + // is allowed to set the unexported field that refers to a base + // http.Transport config; oh well + h2t := &http2.Transport{ + // kind of a hack, but for plaintext/H2C requests, pretend to dial TLS + DialTLS: func(network, addr string, _ *tls.Config) (net.Conn, error) { + // TODO: no context, thus potentially wrong dial info + return net.Dial(network, addr) + }, + AllowHTTP: true, + } + if h.Compression != nil { + h2t.DisableCompression = !*h.Compression + } + h.h2cTransport = h2t + } + return nil } @@ -182,6 +209,13 @@ func (h *HTTPTransport) NewTransport(_ caddy.Context) (*http.Transport, error) { // RoundTrip implements http.RoundTripper. func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) { h.SetScheme(req) + + // if H2C ("HTTP/2 over cleartext") is enabled and the upstream request is + // HTTP/2 without TLS, use the alternate H2C-capable transport instead + if req.ProtoMajor == 2 && req.URL.Scheme == "http" && h.h2cTransport != nil { + return h.h2cTransport.RoundTrip(req) + } + return h.Transport.RoundTrip(req) } diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index 36e7042..a4fda28 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -111,6 +111,17 @@ type Server struct { // This field is not subject to compatibility promises. ExperimentalHTTP3 bool `json:"experimental_http3,omitempty"` + // Enables H2C ("Cleartext HTTP/2" or "H2 over TCP") support, + // which will serve HTTP/2 over plaintext TCP connections if + // a client support it. Because this is not implemented by the + // Go standard library, using H2C is incompatible with most + // of the other options for this server. Do not enable this + // only to achieve maximum client compatibility. In practice, + // very few clients implement H2C, and even fewer require it. + // This setting applies only to unencrypted HTTP listeners. + // ⚠️ Experimental feature; subject to change or removal. + AllowH2C bool `json:"allow_h2c,omitempty"` + primaryHandlerChain Handler errorHandlerChain Handler listenerWrappers []caddy.ListenerWrapper |