http2 server without TLS?

[Peter Waller]

Hi All,

I understand that http2 won't require TLS certificates, is that correct?

If so, is there a quick way of setting up a http2 server with

http://godoc.org/github.com/bradfitz/http2#ConfigureServer

without calling ListenAndServeTLS?

I just spent a few minutes trying to understand why it wasn't working before feeling stupid and recalling how ConfigureServer works*.

Thanks!

- Peter

* https://github.com/bradfitz/http2/blob/f8202bc903bda493ebba4aa54922d78430c2c42f/server.go#L136

[alexm]

If I remember correctly, Brad mentioned during his and Andrew's http2 video that he wouldn't be implementing the http2 package over unencrypted channels.

[Matt Silverlock]

> I understand that http2 won't require TLS certificates, is that correct?

To be precise, HTTP/2 (h2) requires TLS. There is also h2c, is is a non-TLS variant. Most browser vendors are choosing to not implement h2c. 

See this issue for the discussion around h2c in Go: https://github.com/bradfitz/http2/issues/59

[Peter Waller]

Okay, makes sense.

Is there an easy way to test a HTTP2 server then? Am I in the business of making and trusting my own snakeoil certificates for localhost and development environments in general?

I ask because if I want my friends and colleagues to be able to develop and test this thing, I want to know what is best to tell them.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brad Fitzpatrick]

What are you trying to test? Http2 itself or just doing web development in general? You can continue to do http1 on localhost for developing your handlers. The details of http2 on the wire are just details, just like TLS is.

[Peter Waller]

I'm evaluating the performance of http2 to understand the impact it will have on our infrastructure, and I want other people to be able to reproduce my results easily.

[Brad Fitzpatrick]

How would you evaluate the performance impact of TLS?

[Peter Waller]

I'm actually just wanting to understand the impact on assets being transferred, such as javascript, css and images. We're already fine with some "constant" overhead for TLS.

At the moment there are those cool demos with many hundreds of files loading, and I want to know whether I will see any impact on the sites I'm responsible for, or if the gains are so small I should invest in optimizing my sites through other methods for the long term.

[Brad Fitzpatrick]

If you have more than 2 assets, you'll probably benefit nicely from http2.

As for benchmarking, your configs to test are your three possibilities:

1) http
2) https
3) https with http2

If you can benchmark 2) then you can measure 3) too so I don't understand the original concern about how to generate certs.

There is no option 1.5) in practice and Go doesn't intend to implement h2c.

[Peter Waller]

On 5 August 2015 at 11:59, Brad Fitzpatrick <brad...@golang.org> wrote:

If you can benchmark 2) then you can measure 3) too so I don't understand the original concern about how to generate certs.

Yep! I am no longer asking about TLS-less connections. I'm happy that isn't something we'll get. However, I think the documentation needs improving. As an experienced developer wanting to try out HTTP2, it isn't obvious how to try it (especially so if you don't know how to do the certificate dance).

So I'm interested if anyone has any novel solutions for that, and what I should tell my interested friends and colleagues. Should I point them at the openssl x509 [1] or cfssl [2] documentation and tell them how to generate and trust self signed certificates? Is that terrible advice?

I've been teaching interns a lot recently (not http2) so I've got my "how could *they* discover how to do this" hat on. It's all very well if you've generated certificates before and know your way around your OS's certificate store. Otherwise all of this is totally opaque and HTTP2 (in go) is just some magical unusable tech. Even a "friendly and easy to use for developers" project like caddy [3] advertising HTTP2 support doesn't make it clear what you need to do.

You might go through the rigmarole of setting it up just to discover that your connections are just using plain HTTP. Or a less experienced developer might not immediately discover that and mistakenly think they are using it.

Has anyone written about this? I realise you probably take it in your stride, but what do other professional developers like you do to develop and test http2 on your local machines? Is there a better way?

I guess the fact there are many possible environments out there makes what I am asking difficult to achieve.

If all of these questions are too early and everything is all in flux and we don't want people trying out HTTP2 yet, then that's fine too.

[1] http://www.openssl.org/docs/HOWTO/certificates.txt
[2] https://github.com/cloudflare/cfssl
[3] https://caddyserver.com/docs

[Brad Fitzpatrick]

Go's http2 support isn't done so I'm not documenting it widely yet. It's not even in the Go tree yet.

It'll get better.

I also have high hopes for Let's Encrypt and I'd love to see certs be automatic most of the time.

[perry.j...@gmail.com]

There is an option 2.5, in which you have https on a load balancer/reverse proxy and http on the proxied endpoints. That's the only real place I could see h2c being useful. It still might not offer much because stuff like nginx allows you to communicate with the proxied service via http1 (or fascgi, etc) while nginx handles the http2 and ssl.

Also, the nginx alpha http2 support got released yesterday: https://www.nginx.com/blog/early-alpha-patch-http2/

[Matthew Holt]

Even a "friendly and easy to use for developers" project like caddy [3] advertising HTTP2 support doesn't make it clear what you need to do.

You don't have to do anything. Caddy serves HTTP/2 by default over HTTPS. Browsers don't support plaintext HTTP/2 so there's no reason for Caddy to support it. I hope every sane website owner with $10 will serve their site with HTTPS anyway.

That $10 requirement is going away very soon with Let's Encrypt, which Caddy will come with by default. At that point, there's no excuse not to encrypt (and gain the benefits of HTTP/2).