How to setup a google cloud load balancer to take advantage of http2 support in varnish?

0
votes

On Google Cloud I've setup a VM as varnish 6 (community) to manage http and http2 (without SSL/TLS).

I've also setup hitch on port 443 and using a public IP it works fine.

Goal (EDIT)

Now I'd like to put this VM behind a load balancer, as pointed out with @Frank, my goal is to replace hitch with google-cloud-load-balancer service.

My configuration

I've created an unmanaged instance group with using VM opening three ports in config: enter image description here

An my load-balancer configuration with the "Endpoint protocol" set to HTTP/2 is: enter image description here

But this setup give me a 502 error code:

HTTP/2 502                                                                                                                           
content-type: text/html; charset=UTF-8                                                                                               
referrer-policy: no-referrer                                                                                                         
content-length: 332                                                                                                                  
date: Fri, 13 Nov 2020 14:38:02 GMT                                                                                                  
alt-svc: clear

Endpoint set to HTTP

If I change the Endpoing Protocol to HTTP: enter image description here

It works, but the request protocol is HTTP/1.1, as shown by varnishlog:

*   << Request  >> 44493     
-   ReqMethod      GET
-   ReqURL         /?test=1
-   ReqProtocol    HTTP/1.1
2
google-cloud-platformgoogle-compute-enginevarnishhttp2google-cloud-load-balancer

2 Answers

2
votes

You need to use TLS (self-signed certificate is fine) if you want to use HTTP/2 on your backend as per the documentation:

In addition to this network-level encryption, you can use a secure protocol as the backend service protocol. Secure protocols include SSL, HTTPS, or HTTP/2 (using TLS).

Currently your backend is serving traffic to your load balancer on plain HTTP, so when you change the protocol to HTTP/2, the load balancer is expecting to receive HTTPS responses.

If you serve both protocols from your backend as well, then you must change your load balancer "Named port" to where your traffic is being served (common port is 443/tcp).

Edit complementing this answer with my own comment: it could be well for few backends, but each of them would need to be able to maintain it's own non-self signed SSL certificate, or you would need to implement a 3rd party mechanism to refresh that onto all of them, additionally TCP load balancer is not compatible with Cloud CDN or with multiple url paths to different kinds of backends. At the end it sums up to how much management do you want to handle, and what GCP features are you willing to drop.

0
votes

I found that google load balancer has some HTTP2-limitations, and I quote:

  • HTTP/2 between the load balancer and the backend does not support running the WebSocket Protocol over a single stream of an HTTP/2 connection (RFC 8441).
  • HTTP/2 between the load balancer and the backend does not support server push.

so I think that (at the moment) I cannot take http/2 protocol advantages even if I can create a pure http/2 chain.

@Frank you give the nearest to solution answer, I up-vote it.