0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00

Fixed HTTP/2 support for the proxy middleware (#1300)

* Fixed HTTP/2 support for the proxy middleware

http.Transport instances whose TLSClientConfig, Dial, or DialTLS field
is non-nil will be configured without HTTP/2 support by default.

This commit adds the proper calls to http2.ConfigureTransport()
everywhere a http.Transport is created and thus fixes HTTP/2 in the
proxy middleware whenever insecure_skip_verify or keepalive is provided.

* Added HTTP/2 support check to TestReverseProxyInsecureSkipVerify
This commit is contained in:
Leonard Hecker 2016-12-21 20:44:07 +01:00 committed by Matt Holt
parent 54c63002cc
commit a3aa414ff3
2 changed files with 28 additions and 5 deletions

View file

@ -3,6 +3,7 @@ package proxy
import (
"bufio"
"bytes"
"crypto/tls"
"fmt"
"io"
"io/ioutil"
@ -26,6 +27,17 @@ import (
"golang.org/x/net/websocket"
)
// This is a simple wrapper around httptest.NewTLSServer()
// which forcefully enables (among others) HTTP/2 support.
// The httptest package only supports HTTP/1.1 by default.
func newTLSServer(handler http.Handler) *httptest.Server {
ts := httptest.NewUnstartedServer(handler)
ts.TLS = new(tls.Config)
ts.TLS.NextProtos = []string{"h2"}
ts.StartTLS()
return ts
}
func TestReverseProxy(t *testing.T) {
log.SetOutput(ioutil.Discard)
defer log.SetOutput(os.Stderr)
@ -69,8 +81,10 @@ func TestReverseProxyInsecureSkipVerify(t *testing.T) {
defer log.SetOutput(os.Stderr)
var requestReceived bool
backend := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var requestWasHTTP2 bool
backend := newTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
requestReceived = true
requestWasHTTP2 = r.ProtoAtLeast(2, 0)
w.Write([]byte("Hello, client"))
}))
defer backend.Close()
@ -90,6 +104,9 @@ func TestReverseProxyInsecureSkipVerify(t *testing.T) {
if !requestReceived {
t.Error("Even with insecure HTTPS, expected backend to receive request, but it didn't")
}
if !requestWasHTTP2 {
t.Error("Even with insecure HTTPS, expected proxy to use HTTP/2")
}
}
func TestWebSocketReverseProxyNonHijackerPanic(t *testing.T) {

View file

@ -22,6 +22,8 @@ import (
"sync"
"time"
"golang.org/x/net/http2"
"github.com/mholt/caddy/caddyhttp/httpserver"
)
@ -132,7 +134,7 @@ func NewSingleHostReverseProxy(target *url.URL, without string, keepalive int) *
// if keepalive is equal to the default,
// just use default transport, to avoid creating
// a brand new transport
rp.Transport = &http.Transport{
transport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
@ -142,10 +144,12 @@ func NewSingleHostReverseProxy(target *url.URL, without string, keepalive int) *
ExpectContinueTimeout: 1 * time.Second,
}
if keepalive == 0 {
rp.Transport.(*http.Transport).DisableKeepAlives = true
transport.DisableKeepAlives = true
} else {
rp.Transport.(*http.Transport).MaxIdleConnsPerHost = keepalive
transport.MaxIdleConnsPerHost = keepalive
}
http2.ConfigureTransport(transport)
rp.Transport = transport
}
return rp
}
@ -155,7 +159,7 @@ func NewSingleHostReverseProxy(target *url.URL, without string, keepalive int) *
// since this transport skips verification.
func (rp *ReverseProxy) UseInsecureTransport() {
if rp.Transport == nil {
rp.Transport = &http.Transport{
transport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
@ -164,6 +168,8 @@ func (rp *ReverseProxy) UseInsecureTransport() {
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
http2.ConfigureTransport(transport)
rp.Transport = transport
} else if transport, ok := rp.Transport.(*http.Transport); ok {
transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
}