Home / server / Questions / 951308
Accepted
manifestor
Asked: 2019-01-30 07:33:28 +0800 CST

Does Varnish 5.0 support HTTP/2 for backend connections?

  • 772

I have the following infrastructure:

80  ->  Varnish -> Backend (NGINX, port 8080)
443 ->  NGINX (SSL-Termination with HTTP/2 enabled) -> Varnish -> Backend (NGINX, port 8080)

I know that it is possible to enable HTTP/2 protocol for frontend connections using the -p feature=+http2 parameter for Varnish (port 80), but what about the backend connections? varnishlog -b shows me, that all of the backend communication is performed using HTTP/1.0 and HTTP/1.1.

I would be very pleased if someone could tell me what common practice is regarding Varnish and NGINX:

  • Is it possible to enable HTTP/2 for the backend connections?
  • Does it make any sense to do so regarding performance?
  • Does it make sense regarding performance to keep the -p feature=+http2 parameter enabled for the 443 -> NGINX (SSL-Termination with HTTP/2 enabled) -> Varnish communication in terms of performance?

Regarding the backend communication (which is not encrypted): I know that HTTP/2 is bound to TLS encryption, but maybe there is some tweak I haven't heard about, so that's why I think is better to ask in order to be 100% sure. Thanks for your understanding.

nginx

2 Answers

  1. Best Answer

    @Michael Hampton's answer is missing some points so here it goes:

    Varnish is the one software that does HTTP/2 in Hitch+Varnish combo, but most of the browsers requires TLS connection in order for HTTP/2 to work. That is, TLS connection is required for HTTP/2, its base requirement nowadays.

    Varnish Plus does support TLS, while Varnish open source doesn't.

    As for the answers:

    • No, it is not possible to enable HTTP/2 for backend connections
    • It does not make any sense to do so regarding performance. The primary benefit of HTTP/2 is request multiplexing. It is not needed / not possible unless Varnish was able to parse HTML and then request all assets in parallel from backend, over HTTP/2. Nobody wants to make Varnish a browser :) as it's fine the way it is
    • No, it does not make sense regarding performance to keep the -p feature=+http2 parameter enabled for the 443 -> NGINX (SSL-Termination with HTTP/2 enabled). Because NGINX simply won't talk HTTP/2 to its backend (Varnish), similar to how Varnish won't talk HTTP/2 to its backend (NGINX+PHP-FPM for example), because it doesn't make sense (see earlier point).

    That said:

    • It does make sense to keep -p feature=+http2 in a Hitch + Varnish combo.
    • It would also make sense to keep -p feature=+http2 in NGINX (stream) + Varnish combo IF NGINX's stream module had support for ALPN protocol negotiation. But it doesn't. So it can't terminate TLS "properly for HTTP/2 to work.
    • 5

  2. Varnish doesn't support https at all. It never has and it never will.

    The so-called http2 frontend support that Varnish offers in 5.0 is actually not in Varnish at all. Rather, it uses another piece of software called hitch, which is a proxy server that actually terminates TLS using HTTP/2 and passes plain HTTP connections to its backend, which is the Varnish frontend.

    All Varnish backends are HTTP only.

    So, when using HTTP/2, it actually looks like this:

    Hitch - Varnish - Nginx

    Though in this case varnish manages hitch.

    In short, no, you can't do that.

    • 4