HTTP/2 over clear text after SSL offload

[DaveK]

I'm running LSWS enterprise on dual servers which is behind an F5 load balancer. That F5 is performing SSL offload for me and communicating to my lsws servers over cleartext on port 80. This works great.

The F5 was recently updated and now supports HTTP/2 and the lsws server also supports HTTP/2 over clear text. Yes I realize browsers don't but the client is getting SSL from the F5, it doesn't know about the offloading.

Is there any reason this shouldn't work? Does the communication between the F5 and the lsws server need to be on port 443 as well by simply changing the listening port?

 

[mistwang]

The HTTP/2 over clear text was off by default, probably hard coded to off now.
Need to make it configurable. Will add that in 5.1.8 release.

 

[DaveK]

Well it's definitely an option in the current stable to turn on/off. But yes if it's hard coded to off then obviously this won't work

 

[mistwang]

Please try the latest debug build of 5.1.8 with command

/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1.8

 

[DaveK]

Not working still and the option completely gone from Server process section in Server config. Can't find it anywhere else either.

 

[mistwang]

Please update again with the same command.
We do not need that option, serve will automatically detects ssl offloaded http2 connection.
haproxy backend should be configured as regular http node

server node1 127.0.0.1:8088 check

send-proxy need to be removed for now. will add support for that later.

 

[DaveK]

Is there any indication in debug mode to know if I'm getting requests from the F5 for a http2 connection? I'm not sure if their end is working correctly or an issue at my end so I'm trying to reduce the possibilities at my end first.

 

[mistwang]

On F5 side, it should advertise HTTP/2 over ALPN, decrypt SSL without interpreting HTTP/2 frames, forward decrypted traffic as is to backend. LSWS will detect the HTTP/2 traffic without ssl.
F5 is pretty much doing SSL offloading and communicate with backend with layer4 load balancing mode.