2018-07-29 18:44
浏览 323

在AWS上使用Kubernetes部署HTTP / 2 Web服务器

I have a Go server that is currently running with Kubernetes on AWS. The website sits under a route-53 and an ELB that manages the SSL termination. Now, I want to support HTTP/2 in my web-server in order to push resources to the clients, and I saw that HTTP/2 requires that the web-server will use HTTPS. I have a few questions according to that.

  • HTTP/2 requires HTTPS - In my case the HTTPS logic is in the ELB and it manages for me the SSL termination. My application gets the decrypted data as a simple HTTP request. Do I need to remove the ELB in order to enable HTTP/2 in my web-server? Is there any way to leave the ELB there and enable HTTP/2 in my web-server?

  • In my local development I use openssl to generate certificate. If I deploy the web-server I need to get the CA certificate from AWS and store it somewhere in the Kubernetes certificate-manager and inject to my web-server in the initialization. What is the recommended way to do this?

I feel like I miss something, so I'll appreciate any help. Thanks

图片转代码服务由CSDN问答提供 功能建议

我有一个Go服务器,该服务器当前与AWS上的Kubernetes一起运行。 该网站位于53号路由和管理SSL终止的ELB之下。 现在,我想在Web服务器中支持HTTP / 2,以便将资源推送到客户端,并且我看到HTTP / 2要求 Web服务器将使用HTTPS。 据此,我有几个问题。

  • HTTP / 2需要HTTPS-就我而言,HTTPS逻辑位于ELB中,它为我管理 SSL终止。 我的应用程序将解密的数据作为简单的HTTP请求获取。 我是否需要删除ELB才能在Web服务器中启用HTTP / 2? 是否可以将ELB保留在其中并在Web服务器中启用HTTP / 2?

  • 在我的本地开发中,我使用openssl生成证书。 如果部署Web服务器,则需要从AWS获取CA证书并将其存储在Kubernetes证书管理器中的某个位置,然后在初始化时注入到我的Web服务器中。 推荐的方法是什么?

    我觉得我想念一些东西,所以我将不胜感激。 谢谢

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 邀请回答

2条回答 默认 最新

  • dongliao8069 2018-07-29 19:16

    There is no benefit to deploying HTTP2 on an AWS load balancer if your backend is not HTTP2 also. Technically HTTP2 does not require HTTPS, but nobody implements HTTP2 for HTTP. HTTP2 is a protocol optimization (simple viewpoint) that removes round trips in the SSL negotiation, improves pipelining, etc. If the load balancer is communicating with your backend via HTTP, there will not be any improvement. The load balancer will see a small decrease in load due to reduced round trips during HTTPS setup.

    I recommend that you configure your backend services to only use HTTPS (redirect clients to HTTPS) and use an SSL certificate. Then configure HTTP2, which is not easy by the way. You can use Let's Encrypt for SSL which works very well. You can also use OpenSSL self-signed certificates (which I don't recommend). You cannot use AWS services to create SSL certificates for your backend services, only for AWS managed services (CloudFront, ALB, etc.).

    You can also setup the load balancer with Layer 4 (TCP) listeners. This is what I do when I setup HTTP2 on my backend servers. Now the entire path from client to backend is using HTTP2 without double SSL encryption / decryption layers.

    One of the nice features of load balancers is called "SSL offloading". This means that you enable SSL on the load balancer and only enable HTTP on your backend web servers. This goes against HTTP2. Therefore think thru what you really want to accomplish and then design your services to meet those objectives.

    Another point to consider. Since you are looking into HTTP2, at the same time remove support in your services for the older TLS versions and unsafe encryption and hashing algorithms. Dropping TLS 1.0 should be mandatory today and I recommend dropping TLS 1.1 also. Unless you really need to support ancient browsers or custom low-end hardware, TLS 1.2 should be the standard today. Your logfiles can tell you if clients are connecting via older protocols.

    解决 无用
    打赏 举报

相关推荐 更多相似问题