3

I have the following infrastructure:

80  ->  Varnish -> Backend (NGINX, port 8080)
443 ->  NGINX (SSL-Termination with HTTP/2 enabled) -> Varnish -> Backend (NGINX, port 8080)

I know that it is possible to enable HTTP/2 protocol for frontend connections using the -p feature=+http2 parameter for Varnish (port 80), but what about the backend connections? varnishlog -b shows me, that all of the backend communication is performed using HTTP/1.0 and HTTP/1.1.

I would be very pleased if someone could tell me what common practice is regarding Varnish and NGINX:

  • Is it possible to enable HTTP/2 for the backend connections?
  • Does it make any sense to do so regarding performance?
  • Does it make sense regarding performance to keep the -p feature=+http2 parameter enabled for the 443 -> NGINX (SSL-Termination with HTTP/2 enabled) -> Varnish communication in terms of performance?

Regarding the backend communication (which is not encrypted): I know that HTTP/2 is bound to TLS encryption, but maybe there is some tweak I haven't heard about, so that's why I think is better to ask in order to be 100% sure. Thanks for your understanding.

manifestor
  • 6,079
  • 7
  • 27
  • 39

2 Answers2

7

@Michael Hampton's answer is missing some points so here it goes:

Varnish is the one software that does HTTP/2 in Hitch+Varnish combo, but most of the browsers requires TLS connection in order for HTTP/2 to work. That is, TLS connection is required for HTTP/2, its base requirement nowadays.

Varnish Plus does support TLS, while Varnish open source doesn't.

As for the answers:

  • No, it is not possible to enable HTTP/2 for backend connections
  • It does not make any sense to do so regarding performance. The primary benefit of HTTP/2 is request multiplexing. It is not needed / not possible unless Varnish was able to parse HTML and then request all assets in parallel from backend, over HTTP/2. Nobody wants to make Varnish a browser :) as it's fine the way it is
  • No, it does not make sense regarding performance to keep the -p feature=+http2 parameter enabled for the 443 -> NGINX (SSL-Termination with HTTP/2 enabled). Because NGINX simply won't talk HTTP/2 to its backend (Varnish), similar to how Varnish won't talk HTTP/2 to its backend (NGINX+PHP-FPM for example), because it doesn't make sense (see earlier point).

That said:

  • It does make sense to keep -p feature=+http2 in a Hitch + Varnish combo.
  • It would also make sense to keep -p feature=+http2 in NGINX (stream) + Varnish combo IF NGINX's stream module had support for ALPN protocol negotiation. But it doesn't. So it can't terminate TLS "properly for HTTP/2 to work.
Danila Vershinin
  • 5,286
  • 5
  • 17
  • 21
  • The latest Nginx already support the ALPN, so we could use the `-p feature=+http2` in NGINX (stream) + Varnish combo. Is it right? @danila – Key Shang Jan 11 '23 at 16:39
  • 1
    @KeyShang why I mentioned Hitch in my answer is because it does TLS encryption on the TCP level (without HTTP "parsing"). In NGINX, you typically do TLS termination by `proxy_pass`. This is HTTP level proxying and it can't talk HTTP/2 to upstream. You can do the same as what Hitch setup does, via `stream` in NGINX and setting TLS certificates there. This is going to be more closer to Hitch setup, yet alas, NGINX SSL stream does not know how to negotiate ALPN protocol. In other words, NGINX ALPN is for front-facing HTTP/2 connection, it really can't do HTTP/2 to backend/Varnish. – Danila Vershinin Jan 13 '23 at 15:39
  • Got it. Thank you for your explanation. Upvote. @Danila – Key Shang Jan 14 '23 at 09:51
4

Varnish doesn't support https at all. It never has and it never will.

The so-called http2 frontend support that Varnish offers in 5.0 is actually not in Varnish at all. Rather, it uses another piece of software called hitch, which is a proxy server that actually terminates TLS using HTTP/2 and passes plain HTTP connections to its backend, which is the Varnish frontend.

All Varnish backends are HTTP only.

So, when using HTTP/2, it actually looks like this:

Hitch - Varnish - Nginx

Though in this case varnish manages hitch.

In short, no, you can't do that.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972