I am trying to figure out that although nginx is configure to listen to HTTP1.2 all requests in logs are HTTP1.1
[11/Oct/2024:11:53:41 +0300] "GET /el_gr/tapetsaries-toixou/fototapetsaries-toixou/zoa/filtra/xromatikes_omades-psychra-kitrina-xroma-oxia_fusiko-gkri_mpez-leuko-anoichto_mob-mob-somon-anoichto_gkri-anthraki-gkri-thema_fototapetsarias-artistic-apoxrosi_fototapetsarias-egchromo?price=amshopby_slider_from-amshopby_slider_to HTTP/1.1" 200 50347 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; GoogleOther)"
[11/Oct/2024:11:53:41 +0300] "GET /el_gr/catalog/product/view/id/144583/s/144583-fototsapetsaries-diafora-sxedia-megethi-100-159102/ HTTP/1.1" 200 55818 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:43 +0300] "GET /el_gr/catalog/product/view/id/134022/s/134022-fototsapetsaries-diafora-sxedia-megethi-100-148541/ HTTP/1.1" 200 56234 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:43 +0300] "GET /el_gr/catalog/product/view/id/153049/s/153049-fototsapetsaries-diafora-sxedia-megethi-100-167568/ HTTP/1.1" 200 55991 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
54.236.1.13 [ 54.236.1.13, 54.236.1.13, 127.0.0.1] [11/Oct/2024:11:53:46 +0300] "GET /el_gr/catalog/product/view/id/151013/s/151013-fototsapetsaries-diafora-sxedia-megethi-100-165532/ HTTP/1.1" 200 56020 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:47 +0300] "GET /el_gr/tapetsaries-toixou/fototapetsaries-toixou/zoa/filtra/xromatikes_omades-psychra-pastel-mov-therma-xroma-oxia_fusiko-gkri_mpez-leuko-anoichto_mob-mob-somon-kokkino-anoichto_gkri-kafe-thema_fototapetsarias-artistic-louloudia-vintage-apoxrosi_fototapetsarias-egchromo?price=amshopby_slider_from-amshopby_slider_to HTTP/1.1" 200 56578 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; GoogleOther)"
[11/Oct/2024:11:53:48 +0300] "GET /el_gr/50369-tapetsaria-arts-crafts-prasino-no-36159-by-casadeco HTTP/1.1" 200 63129 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
[11/Oct/2024:11:53:48 +0300] "GET /el_gr/catalog/product/view/id/142099/s/142099-fototsapetsaries-diafora-sxedia-megethi-100-156618/ HTTP/1.1" 200 55810 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:49 +0300] "GET /el_gr/49391-wing-kremasto-ntoulapi-oikologiko-tzaki-no-14297-by-abb?swatch_colour_att=11095 HTTP/1.1" 200 69558 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:49 +0300] "GET /el_gr/catalog/product/view/id/90457/s/58177-diaxoristika-domatiou-diafora-sxedia-102723/ HTTP/1.1" 200 68402 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
This is my vhost:
server {
listen 443 ssl;
http2 on;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/2023/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2023/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
return 301 https://example.com$request_uri;
# Nginx Bad Bot Blocker Includes
# REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
##
include /etc/nginx/bots.d/ddos.conf;
include /etc/nginx/bots.d/blockbots.conf;
# apply ratebot rules
limit_req zone=ratebot_soft nodelay;
limit_req zone=ratebot_medium nodelay;
limit_req zone=ratebot_hard nodelay;
}
server {
listen 443 ssl;
http2 on;
server_name example.com;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
ssl_certificate /etc/nginx/ssl/2023/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2023/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
include /etc/nginx/bots.d/ddos.conf;
include /etc/nginx/bots.d/blockbots.conf;
# apply ratebot rules
limit_req zone=ratebot_soft nodelay;
limit_req zone=ratebot_medium nodelay;
limit_req zone=ratebot_hard nodelay;
location / {
proxy_pass http://127.0.0.1:6081;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_buffer_size 16k;
proxy_buffers 64 4k;
proxy_busy_buffers_size 24k;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 32k;
if ($cors_origin) {
add_header 'Access-Control-Allow-Origin' '$cors_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,HEAD,PATCH' always;
add_header 'Access-Control-Allow-Headers' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
}
}
}
This is a dedicated server in Hetzner. It is behind a firewall which is off. Also we are not using any panel, just Ubuntu 22 OS. CSF firewall is enabled
Nginx works as a proxy for varnish with SSL termination. So Varnish handles first requests
Upfront of the that server Cloudflare also enabled with support of http1.2
What I am missing here guys?
Your setup looks 100% correct and I replicated the Nginx configuration in a Docker environment.
Here's what I see.
HTTP/2 used by the client & Nginx
When I send a request over HTTP to Nginx, which acts as the TLS proxy, I get an HTTP/2 response, as you can see in the output below:
So far so good.
Nginx uses HTTP/1.0 for proxying
Although the client is communicating nicely over HTTP/2 with the TLS Proxy (Nginx in this case), Nginx is sending HTTP/1.0 requests to Varnish by default.
One could set
proxy_http_version 1.1;
to upgrade the HTTP version to HTTP 1/1. But as described in the documentation, Nginx doesn't seem to support HTTP/2 for proxying.And when I run
varnishncsa
in my Varnish container, to consult the access logs, you'll see that HTTP/1.1 is used:Use Hitch instead
If you want end-to-end HTTP/2 when using Varnish, I recommend using Hitch as you TLS proxy. Hitch is a purge TLS proxy that doesn't even have HTTP awareness.
Hitch can communicate with Varnish over the PROXY protocol, and as long a Varnish is started with the
-p feature=+http2
runtime parameter, and Hitch exposesh2, http/1.1
in its ALPN protocols, it should work flawlessly.Have a look at the following tutorial, which explains the situation in detail: https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/
A very simplistic Hitch configuration could look like this:
And an equally simplistic Varnish runtime configuration with HTTP/2 & PROXY support, could look like this:
TLS detection in Varnish could be done using the following VCL snippet: