server: enable H2C for HTTP listeners via CLI flag #2739
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
srenatus
commented
Sep 30, 2020
| golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA= | ||
| golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU= | ||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
| golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU= | ||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
| golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
| golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= | ||
| golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |
There was a problem hiding this comment.
These blow the PR size out of proportion 🙄 No idea what to do about that, though.
There was a problem hiding this comment.
The dangers of adding new dependencies! 😆
|
Ugh Golang 1.13.7 doesn't know t.Cleanup(). I'll move some code. Let's get that updated, though 😄 |
server/server_test.go
Outdated
| @@ -3219,6 +3229,78 @@ func newClient(t *testing.T, pool *x509.CertPool, clientKeyPair ...string) *http | |||
| return &c | |||
| } | |||
|
|
|||
| func TestH2CHTTPListeners(t *testing.T) { | |||
There was a problem hiding this comment.
The majority of other tests in here, afaik, don't actually start the loops. They are mostly testing the HTTP handler directly by calling Handle() on it with a recorder and some request. I'd recommend moving this test into a new package in https://github.com/open-policy-agent/opa/tree/master/test/e2e where we have more tests that are like this one which are testing out the sort of full extent of the API service (plus you get a bunch of helpers over there for stuff like cleaning up, waiting for the server, getting the addresses, etc).
There was a problem hiding this comment.
Awesome! I'll move it. 😃
There was a problem hiding this comment.
Done. It's nicer indeed. I've got a test or two to move there for authentication with TLS and authorization, I think, but that'll be a follow-up.
| golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA= | ||
| golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU= | ||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
| golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU= | ||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
| golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
| golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= | ||
| golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |
There was a problem hiding this comment.
The dangers of adding new dependencies! 😆
This follows the docs provided by the [github issue](1), https://www.mailgun.com/blog/http-2-cleartext-h2c-client-example-go/ For manual testing, ensure that you have a curl version with the proper "Features", as can be read off `curl --version`: curl 7.72.0 (x86_64-apple-darwin19.5.0) libcurl/7.72.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.9 zstd/1.4.5 c-ares/1.16.1 libssh2/1.9.0 nghttp2/1.41.0 librtmp/2.3 Release-Date: 2020-08-19 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets zstd As described in the mailgun blog post, curl-openssl on homebrew has it for osx. With this change, and started with ./opa_darwin_amd64 run -s --h2c --diagnostic-addr :8182 Both the ALPN and the "prior knowledge" modes work against the insecure endpoints: $ curl -v --http2 http://127.0.0.1:8181/metrics >/dev/null * Trying 127.0.0.1:8181... > GET /metrics HTTP/1.1 > Host: 127.0.0.1:8181 > User-Agent: curl/7.72.0 > Accept: */* > Connection: Upgrade, HTTP2-Settings > Upgrade: h2c > HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA > * Mark bundle as not supporting multiuse < HTTP/1.1 101 Switching Protocols < Connection: Upgrade < Upgrade: h2c * Received 101 * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 200 < content-type: text/plain; version=0.0.4; charset=utf-8 < date: Wed, 30 Sep 2020 12:15:08 GMT < { [4096 bytes data] * Connection #0 to host 127.0.0.1 left intact $ curl -v --http2-prior-knowledge http://127.0.0.1:8181/metrics >/dev/null * Trying 127.0.0.1:8181... * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f85c3814c00) > GET /metrics HTTP/2 > Host: 127.0.0.1:8181 > user-agent: curl/7.72.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 200 < content-type: text/plain; version=0.0.4; charset=utf-8 < date: Wed, 30 Sep 2020 12:15:13 GMT < { [4096 bytes data] * Connection #0 to host 127.0.0.1 left intact [1]: open-policy-agent#2399 Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
patrick-east
approved these changes
Oct 1, 2020
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This follows the docs provided by the github issue,
https://www.mailgun.com/blog/http-2-cleartext-h2c-client-example-go/
For manual testing, ensure that you have a curl version with the proper
"Features", as can be read off
curl --version:As described in the mailgun blog post, curl-openssl on homebrew has it for osx.
With this change, and started with
Both the ALPN and the "prior knowledge" modes work against the insecure endpoints: