Question

Load Balancers - HTTP/2 vs HTTPS vs HTTP Proxy

Posted May 19, 2021 75 views
Load BalancingDigitalOcean Managed Load Balancers

A couple of questions on the use of HTTP/2 on the DO Managed Load Balancers here.

We’re currently enabled for HTTPS/443 -> HTTP/80 on our Load Balancers.

If we upgrade to HTTP/2:

  1. For the (small) portion of our traffic from non-HTTP/2 browsers will it negotiate a downgrade to HTTP/1.1 over SSL?

  2. If we are using the LB to terminate SSL and putting the internal traffic over HTTP/80 do we lose the advantages of HTTP/2 anyway? Or is it cleverer than that?

Cheers,

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

OK so, doing some Science:

I set up a DO LB with HTTPS only using a test name with a Let’s Encrypt certificate pointing at an existing webserver over http. I’ve then used CURL to test it.

michael@DESKTOP-0V8O7JR:~ $ curl https://test.mydomain.com -v --http1.1 --no-alpn --no-npn
*   Trying 1.1.1.1:443...
* TCP_NODELAY set
* Connected to test.mydomain.com (1.1.1.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* Server certificate:
*  subject: CN=mydomain.com
*  start date: May 21 03:02:15 2021 GMT
*  expire date: Aug 19 03:02:15 2021 GMT
*  subjectAltName: host "test.mydomain.com" matched cert's "test.mydomain.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: test.mydomain.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-length: 352
< content-disposition: inline; filename="index.html"
< accept-ranges: bytes
< etag: "0380cd3e51d181efa161255719094b2dbc726fb8"
< content-type: text/html; charset=utf-8
< vary: Accept-Encoding
< date: Mon, 24 May 2021 12:31:31 GMT
<
* Connection #0 to host test.mydomain.com left intact

So the answer to question 1 is - yes, it will downgrade. I suspect the answer to 2 is yes - we lose much of the advantage! Need to research further.