HTTP/2 を利用したアクセス、プロキシ経由でも有効なのか、ということで自分が試せる範囲で試してみた。
テストに利用したのは curl コマンド。
ディストリビューションによる違いはあるかもしれませんが、 Debian sid のものは HTTP/2 対応でコンパイルされたものがパッケージになっていますね。
soukaku@nexus01:[~]$ curl -V
curl 7.45.0 (x86_64-pc-linux-gnu) libcurl/7.45.0 GnuTLS/3.3.18 zlib/1.2.8 libidn/1.32 libssh2/1.5.0 nghttp2/1.5.0 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets
コマンドラインオプションに、「どの HTTP プロトコルバージョンでアクセスするか」というオプションがあるので、これで "--HTTP2" を明示してあげると、 HTTP/2 でのアクセスが出来ると。
-0, --http1.0 Use HTTP 1.0 (H)
--http1.1 Use HTTP 1.1 (H)
--http2 Use HTTP 2 (H)
さて、テスト対象ですが
- Squid 3.1.23 (CentOS 6.7)
- Squid 3.3.8 (CentOS 7.2)
- Squid 3.5.12 (Debian sid)
- Apache Traffic Server 6.6.0 (Debian jessie)
- Apache 2.4.10 + mod_proxy (Debian jessie)
- Apache 2.4.18 + mod_proxy (Debian jessie)
の 6 種類とします。
#商用プロダクトも、機会があれば試してみたいですねぇ。
テスト時につけた、curl のオプションは以下のとおり。
curl -vIL --http2 -x IP_ADDRESS:PROXY_PORT https://www.downtown.jp
-v : コマンド実行時のメッセージを冗長に
-I : リクエストヘッダ、レスポンスヘッダのみ出力
-L : リダイレクトに追随
--http2 : HTTP/2でのアクセスを強制
-x : プロキシサーバとポートを指定 ←ここがテスト対象によって変化
各プロキシに対するアクセスの結果は、以下のとおり。
今回試したものについては、どれも HTTP/2 でのアクセスに問題なく対応しているようで、実は思惑が外れたというのはあったりしますが…。
HTTPS としてのコネクション成立後に、そのコネクションの中で HTTP バージョンをネゴシエートしているようにみえるので、 HTTPS の処理が滞りなくできるプロキシサーバなら、特に問題は起きない、ということなのかもしれないですね。
#h2c だと、どうなのかとか、HTTPS をデコードすることが出来るプロキシサーバだとどうなの、といったところは、気になる。
Squid 3.1.23 の場合
すでに、Squid プロジェクト的にはサポートが切れてるバージョンですが、RHEL/CentOS 6 系列のパッケージで採用されているバージョンなので、もしかしたらそれなりに稼働しているかもしれないバージョン。
soukaku@nexus01:[~]$ curl -vIL --http2 -x 172.16.0.194:3128 https://www.downtown.jp
* Rebuilt URL to: https://www.downtown.jp/
* Trying 172.16.0.194...
* Connected to 172.16.0.194 (172.16.0.194) port 3128 (#0)
* Establish HTTP proxy tunnel to www.downtown.jp:443
> CONNECT www.downtown.jp:443 HTTP/1.1
> Host: www.downtown.jp:443
> User-Agent: curl/7.45.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 705 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.downtown.jp (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.downtown.jp
* start date: Mon, 14 Dec 2015 04:31:00 GMT
* expire date: Sun, 13 Mar 2016 04:31:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1
* compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e2e329c8e0)
> HEAD / HTTP/1.1
> Host: www.downtown.jp
> User-Agent: curl/7.45.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x55e2e329d258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x55e2e329d258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x55e2e329d258 (stream 1)
* http2_recv: returns 241 for stream 1
< HTTP/2.0 200
HTTP/2.0 200
< date:Sat, 26 Dec 2015 16:06:55 GMT
date:Sat, 26 Dec 2015 16:06:55 GMT
< server:Apache/2.4.18 (Debian)
server:Apache/2.4.18 (Debian)
< accept-ranges:bytes
accept-ranges:bytes
< vary:Accept-Encoding
vary:Accept-Encoding
< cache-control:max-age=390155
cache-control:max-age=390155
< expires:Thu, 31 Dec 2015 04:29:31 GMT
expires:Thu, 31 Dec 2015 04:29:31 GMT
< content-length:13718
content-length:13718
< content-type:text/html
content-type:text/html
<
* Connection #0 to host 172.16.0.194 left intact
Squid 3.3.8 の場合
CentOS 7 のリポジトリに含まれているバージョンは、 3.3.8 。(これもプロジェクト的にはサポート終了バージョン。)
soukaku@nexus01:[~]$ curl -vIL --http2 -x 172.16.0.193:3128 https://www.downtown.jp
* Rebuilt URL to: https://www.downtown.jp/
* Trying 172.16.0.193...
* Connected to 172.16.0.193 (172.16.0.193) port 3128 (#0)
* Establish HTTP proxy tunnel to www.downtown.jp:443
> CONNECT www.downtown.jp:443 HTTP/1.1
> Host: www.downtown.jp:443
> User-Agent: curl/7.45.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 705 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.downtown.jp (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.downtown.jp
* start date: Mon, 14 Dec 2015 04:31:00 GMT
* expire date: Sun, 13 Mar 2016 04:31:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1
* compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556d0bdcf8e0)
> HEAD / HTTP/1.1
> Host: www.downtown.jp
> User-Agent: curl/7.45.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x556d0bdd0258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x556d0bdd0258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x556d0bdd0258 (stream 1)
* http2_recv: returns 241 for stream 1
< HTTP/2.0 200
HTTP/2.0 200
< date:Sat, 26 Dec 2015 12:35:14 GMT
date:Sat, 26 Dec 2015 12:35:14 GMT
< server:Apache/2.4.18 (Debian)
server:Apache/2.4.18 (Debian)
< accept-ranges:bytes
accept-ranges:bytes
< vary:Accept-Encoding
vary:Accept-Encoding
< cache-control:max-age=402856
cache-control:max-age=402856
< expires:Thu, 31 Dec 2015 04:29:31 GMT
expires:Thu, 31 Dec 2015 04:29:31 GMT
< content-length:13718
content-length:13718
< content-type:text/html
content-type:text/html
<
* Connection #0 to host 172.16.0.193 left intact
Squid 3.5.12 の場合
自分のところで常用しているバージョン。Debian sid はこのバージョンがパッケージングされてる。
soukaku@nexus01:[~]$ curl -vIL --http2 -x 127.0.0.1:3128 https://www.downtown.jp
* Rebuilt URL to: https://www.downtown.jp/
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
* Establish HTTP proxy tunnel to www.downtown.jp:443
> CONNECT www.downtown.jp:443 HTTP/1.1
> Host: www.downtown.jp:443
> User-Agent: curl/7.45.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 705 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.downtown.jp (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.downtown.jp
* start date: Mon, 14 Dec 2015 04:31:00 GMT
* expire date: Sun, 13 Mar 2016 04:31:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1
* compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56329e0978e0)
> HEAD / HTTP/1.1
> Host: www.downtown.jp
> User-Agent: curl/7.45.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x56329e098258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x56329e098258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x56329e098258 (stream 1)
* http2_recv: returns 241 for stream 1
< HTTP/2.0 200
HTTP/2.0 200
< date:Sat, 26 Dec 2015 09:36:52 GMT
date:Sat, 26 Dec 2015 09:36:52 GMT
< server:Apache/2.4.18 (Debian)
server:Apache/2.4.18 (Debian)
< accept-ranges:bytes
accept-ranges:bytes
< vary:Accept-Encoding
vary:Accept-Encoding
< cache-control:max-age=413559
cache-control:max-age=413559
< expires:Thu, 31 Dec 2015 04:29:31 GMT
expires:Thu, 31 Dec 2015 04:29:31 GMT
< content-length:13718
content-length:13718
< content-type:text/html
content-type:text/html
<
* Connection #0 to host 127.0.0.1 left intact
Apache Traffic Server 6.0.0
比較用に、 Apache Traffic Server 。
jessie では 6.0.0 がパッケージングされているので、それをそのまま利用しています。(一時期、パッケージから外されたようだったけど、、戻ったみたい。)
soukaku@nexus01:[~]$ curl -vIL --http2 -x 172.16.0.200:8080 https://www.downtown.jp
* Rebuilt URL to: https://www.downtown.jp/
* Trying 172.16.0.200...
* Connected to 172.16.0.200 (172.16.0.200) port 8080 (#0)
* Establish HTTP proxy tunnel to www.downtown.jp:443
> CONNECT www.downtown.jp:443 HTTP/1.1
> Host: www.downtown.jp:443
> User-Agent: curl/7.45.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sat, 26 Dec 2015 09:41:57 GMT
Date: Sat, 26 Dec 2015 09:41:57 GMT
< Proxy-Connection: close
Proxy-Connection: close
< Server: ATS/6.0.0
Server: ATS/6.0.0
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 705 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.downtown.jp (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.downtown.jp
* start date: Mon, 14 Dec 2015 04:31:00 GMT
* expire date: Sun, 13 Mar 2016 04:31:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1
* compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558926bf88e0)
> HEAD / HTTP/1.1
> Host: www.downtown.jp
> User-Agent: curl/7.45.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x558926bf9258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x558926bf9258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x558926bf9258 (stream 1)
* http2_recv: returns 241 for stream 1
< HTTP/2.0 200
HTTP/2.0 200
< date:Sat, 26 Dec 2015 09:41:55 GMT
date:Sat, 26 Dec 2015 09:41:55 GMT
< server:Apache/2.4.18 (Debian)
server:Apache/2.4.18 (Debian)
< accept-ranges:bytes
accept-ranges:bytes
< vary:Accept-Encoding
vary:Accept-Encoding
< cache-control:max-age=413255
cache-control:max-age=413255
< expires:Thu, 31 Dec 2015 04:29:31 GMT
expires:Thu, 31 Dec 2015 04:29:31 GMT
< content-length:13718
content-length:13718
< content-type:text/html
content-type:text/html
<
* Connection #0 to host 172.16.0.200 left intact
Apache 2.4.10 + mod_proxy
Webサーバとしては、 HTTP/2 未サポートですが、プロキシサーバとして利用する分には問題なく HTTP/2 を通してますね。
soukaku@nexus01:[~]$ curl -vIL --http2 -x 172.16.0.200:3128 https://www.downtown.jp
* Rebuilt URL to: https://www.downtown.jp/
* Trying 172.16.0.200...
* Connected to 172.16.0.200 (172.16.0.200) port 3128 (#0)
* Establish HTTP proxy tunnel to www.downtown.jp:443
> CONNECT www.downtown.jp:443 HTTP/1.1
> Host: www.downtown.jp:443
> User-Agent: curl/7.45.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection Established
HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.10 (Debian)
Proxy-agent: Apache/2.4.10 (Debian)
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 705 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.downtown.jp (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.downtown.jp
* start date: Mon, 14 Dec 2015 04:31:00 GMT
* expire date: Sun, 13 Mar 2016 04:31:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1
* compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558c4f8718e0)
> HEAD / HTTP/1.1
> Host: www.downtown.jp
> User-Agent: curl/7.45.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x558c4f872258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x558c4f872258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x558c4f872258 (stream 1)
* http2_recv: returns 241 for stream 1
< HTTP/2.0 200
HTTP/2.0 200
< date:Sun, 27 Dec 2015 07:35:07 GMT
date:Sun, 27 Dec 2015 07:35:07 GMT
< server:Apache/2.4.18 (Debian)
server:Apache/2.4.18 (Debian)
< accept-ranges:bytes
accept-ranges:bytes
< vary:Accept-Encoding
vary:Accept-Encoding
< cache-control:max-age=334463
cache-control:max-age=334463
< expires:Thu, 31 Dec 2015 04:29:31 GMT
expires:Thu, 31 Dec 2015 04:29:31 GMT
< content-length:13718
content-length:13718
< content-type:text/html
content-type:text/html
<
* Connection #0 to host 172.16.0.200 left intact
Apache 2.4.18 + mod_proxy
こちらは HTTP/2 対応のバージョン。
soukaku@nexus01:[~]$ curl -vIL --http2 -x 172.16.0.200:3128 https://www.downtown.jp
* Rebuilt URL to: https://www.downtown.jp/
* Trying 172.16.0.200...
* Connected to 172.16.0.200 (172.16.0.200) port 3128 (#0)
* Establish HTTP proxy tunnel to www.downtown.jp:443
> CONNECT www.downtown.jp:443 HTTP/1.1
> Host: www.downtown.jp:443
> User-Agent: curl/7.45.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection Established
HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.18 (Debian)
Proxy-agent: Apache/2.4.18 (Debian)
<
* Proxy replied OK to CONNECT request
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 705 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: www.downtown.jp (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=www.downtown.jp
* start date: Mon, 14 Dec 2015 04:31:00 GMT
* expire date: Sun, 13 Mar 2016 04:31:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1
* compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ff2676f8e0)
> HEAD / HTTP/1.1
> Host: www.downtown.jp
> User-Agent: curl/7.45.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x55ff26770258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x55ff26770258 (stream 1)
* http2_recv: 16384 bytes buffer at 0x55ff26770258 (stream 1)
* http2_recv: returns 241 for stream 1
< HTTP/2.0 200
HTTP/2.0 200
< date:Sun, 27 Dec 2015 07:12:02 GMT
date:Sun, 27 Dec 2015 07:12:02 GMT
< server:Apache/2.4.18 (Debian)
server:Apache/2.4.18 (Debian)
< accept-ranges:bytes
accept-ranges:bytes
< vary:Accept-Encoding
vary:Accept-Encoding
< cache-control:max-age=335848
cache-control:max-age=335848
< expires:Thu, 31 Dec 2015 04:29:31 GMT
expires:Thu, 31 Dec 2015 04:29:31 GMT
< content-length:13718
content-length:13718
< content-type:text/html
content-type:text/html
<
* Connection #0 to host 172.16.0.200 left intact
「HTTP/2 に対応できないものがあるかも」と考えてたのですけど、現状用意できるものに関しては問題なく対応できそうですね。
コメントする