~sircmpwn/sr.ht-discuss

7 5

Sourcehut pages only uses HTTP/1.1

Details
Message ID
<9a34cc9a-146a-15b7-890c-5ba1f816f3ae@thelion.website>
DKIM signature
missing
Download raw message
I started hosting my website on sourcehut pages and it's worked pretty 
well. However, something I've noticed is that it seems to only use HTTP/1.1.

I was wondering if this was working as intended or if it was an 
oversight? HTTP/2 can improve performance and I notice sourcehut itself 
uses it so it would be nice to have that there as well.

Thanks,
Lionir
Details
Message ID
<e460e2f6-e849-b488-f135-49373d909d75@bitfehler.net>
In-Reply-To
<9a34cc9a-146a-15b7-890c-5ba1f816f3ae@thelion.website> (view parent)
DKIM signature
missing
Download raw message
On 8/3/22 17:16, Lionir wrote:
> I was wondering if this was working as intended or if it was an 
> oversight

pages.sr.ht uses a somewhat special setup with tlstunnel and uacme to 
retrieve Let's Encrypt certificates for pages on demand. This setup 
makes it a little hard to set up with HTTP/2, as the negotiation for it 
happens in TLS, which is handled (and then stripped) in a different process.

Conrad
Details
Message ID
<gXGm4VlvunhO0lhzXndnGsn5RMyFm31rjaCj8zRaDOzy_IPdnf8MZonG9OCG1KujYckOoJhirXRe1NkWytKrIlSaHVCTL9ZRBkOP0M3XUHk=@emersion.fr>
In-Reply-To
<e460e2f6-e849-b488-f135-49373d909d75@bitfehler.net> (view parent)
DKIM signature
missing
Download raw message
On Thursday, August 4th, 2022 at 10:32, Conrad Hoffmann <ch@bitfehler.net> wrote:

> On 8/3/22 17:16, Lionir wrote:
> 
> > I was wondering if this was working as intended or if it was an
> > oversight
> 
> pages.sr.ht uses a somewhat special setup with tlstunnel and uacme to
> retrieve Let's Encrypt certificates for pages on demand. This setup
> makes it a little hard to set up with HTTP/2, as the negotiation for it
> happens in TLS, which is handled (and then stripped) in a different process.

Indeed. It is possible to set up HTTP/2 with tlstunnel, but the HTTP
server needs to support reading ALPN fields from the PROXY protocol,
which nginx can only do in the pro variant iirc.
Details
Message ID
<20220804111957.jphcsq3lohzcyucu@tp>
In-Reply-To
<gXGm4VlvunhO0lhzXndnGsn5RMyFm31rjaCj8zRaDOzy_IPdnf8MZonG9OCG1KujYckOoJhirXRe1NkWytKrIlSaHVCTL9ZRBkOP0M3XUHk=@emersion.fr> (view parent)
DKIM signature
missing
Download raw message
On 22-08-04 08:43:58, Simon Ser wrote:
> It is possible to set up HTTP/2 with tlstunnel, but the HTTP
> server needs to support reading ALPN fields from the PROXY protocol,
> which nginx can only do in the pro variant iirc.

I wonder if a similar setup can be done on top of Caddy? though I can't
say that I know how tlstunnel would interact with it (or if it needs to,
seeing that Caddy supports automatic let's encrypt certificate
negotiation).

Simon, could you point us to the how the setup for pages is done? I
can't find anything that looks relevant in the ~sircmpwn/pages.sr.ht
repo.

/Marius
Details
Message ID
<CLX7ELBVTVFH.2ZM13F7ONYPIP@taiga>
In-Reply-To
<20220804111957.jphcsq3lohzcyucu@tp> (view parent)
DKIM signature
missing
Download raw message
On Thu Aug 4, 2022 at 1:19 PM CEST, Marius Orcsik wrote:
> I wonder if a similar setup can be done on top of Caddy? though I can't
> say that I know how tlstunnel would interact with it (or if it needs to,
> seeing that Caddy supports automatic let's encrypt certificate
> negotiation).

We used Caddy before and I have no desire whatsoever to revisit it.
Details
Message ID
<XkUeq6DfKPA9UCnPNrN6KJR8Ys8oO68pqFoNepM-eBySO1rqTnnPIgzgoL-jq0vwykW6xudGFhfbsKsTXcAJdi3IbFHZnVwE0_cllGTenqQ=@emersion.fr>
In-Reply-To
<20220804111957.jphcsq3lohzcyucu@tp> (view parent)
DKIM signature
missing
Download raw message
On Thursday, August 4th, 2022 at 13:19, Marius Orcsik <marius@federated.id> wrote:

> Simon, could you point us to the how the setup for pages is done? I
> can't find anything that looks relevant in the ~sircmpwn/pages.sr.ht
> repo.

It's nothing too crazy, just tlstunnel in front of nginx. The config
files are published at [1].

[1]: https://git.sr.ht/~sircmpwn/sr.ht-nginx/tree/master/item/pages.sr.ht
Details
Message ID
<20220804191016.2e727bbd@inspiro.localdomain>
In-Reply-To
<XkUeq6DfKPA9UCnPNrN6KJR8Ys8oO68pqFoNepM-eBySO1rqTnnPIgzgoL-jq0vwykW6xudGFhfbsKsTXcAJdi3IbFHZnVwE0_cllGTenqQ=@emersion.fr> (view parent)
DKIM signature
missing
Download raw message
On Thu, 04 Aug 2022 11:46:35 +0000
Simon Ser <contact@emersion.fr> wrote:

> On Thursday, August 4th, 2022 at 13:19, Marius Orcsik
> <marius@federated.id> wrote:
> 
> > Simon, could you point us to the how the setup for pages is done? I
> > can't find anything that looks relevant in the ~sircmpwn/pages.sr.ht
> > repo.
> 
> It's nothing too crazy, just tlstunnel in front of nginx. The config
> files are published at [1].
> 
> [1]:
> https://git.sr.ht/~sircmpwn/sr.ht-nginx/tree/master/item/pages.sr.ht

Just curious, why not using HAProxy? Its support TLS, HTTP/2, and
HTTP/1.1 in single line configuration.
Details
Message ID
<PDZPNHXAgCYVCHC-6k4uSpUeo5nGIC4Qsfb1QB2q0JBTD4gEdM_8_DEbSTDW7qtWnV-qHu-c4PbmLMj_ycHIkM8Uk9ltjOc4RD1ai7dyTts=@emersion.fr>
In-Reply-To
<20220804191016.2e727bbd@inspiro.localdomain> (view parent)
DKIM signature
missing
Download raw message
On Thursday, August 4th, 2022 at 14:12, Shulhan <ms@kilabit.info> wrote:

> Just curious, why not using HAProxy? Its support TLS, HTTP/2, and
> HTTP/1.1 in single line configuration.

We need to obtain TLS certificates on-demand for custom domains.
(Besides, nginx can already do everything you've listed here.)
Reply to thread Export thread (mbox)