HTTP/2 over clear text after SSL offload

Discussion in 'LSWS 5.0 Release' started by DaveK, Sep 7, 2016.

  1. DaveK

    DaveK Member

    I'm running LSWS enterprise on dual servers which is behind an F5 load balancer. That F5 is performing SSL offload for me and communicating to my lsws servers over cleartext on port 80. This works great.

    The F5 was recently updated and now supports HTTP/2 and the lsws server also supports HTTP/2 over clear text. Yes I realize browsers don't but the client is getting SSL from the F5, it doesn't know about the offloading.

    Is there any reason this shouldn't work? Does the communication between the F5 and the lsws server need to be on port 443 as well by simply changing the listening port?
     
  2. mistwang

    mistwang LiteSpeed Staff

    The HTTP/2 over clear text was off by default, probably hard coded to off now.
    Need to make it configurable. Will add that in 5.1.8 release.
     
  3. DaveK

    DaveK Member

    Well it's definitely an option in the current stable to turn on/off. But yes if it's hard coded to off then obviously this won't work :)
     
  4. mistwang

    mistwang LiteSpeed Staff

    Please try the latest debug build of 5.1.8 with command

    /usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1.8
     
  5. DaveK

    DaveK Member

    Not working still and the option completely gone from Server process section in Server config. Can't find it anywhere else either.
     
  6. mistwang

    mistwang LiteSpeed Staff

    Please update again with the same command.
    We do not need that option, serve will automatically detects ssl offloaded http2 connection.
    haproxy backend should be configured as regular http node

    send-proxy need to be removed for now. will add support for that later.
     
  7. DaveK

    DaveK Member

    Is there any indication in debug mode to know if I'm getting requests from the F5 for a http2 connection? I'm not sure if their end is working correctly or an issue at my end so I'm trying to reduce the possibilities at my end first.
     
  8. mistwang

    mistwang LiteSpeed Staff

    On F5 side, it should advertise HTTP/2 over ALPN, decrypt SSL without interpreting HTTP/2 frames, forward decrypted traffic as is to backend. LSWS will detect the HTTP/2 traffic without ssl.
    F5 is pretty much doing SSL offloading and communicate with backend with layer4 load balancing mode.
     
    Last edited: Sep 15, 2016

Share This Page