add http2 for upstream support

[hishamanver]

This PR adds support for http2 upstream servers

[hishamanver]

This links to #101

[hishamanver]

@rpardini any comments for this one?

[rpardini]

Yeah, this is not real http2 support, since nginx itself does not support it.

[hishamanver]

ok let me clarify

this PR forces all connections between the d-r-p and the upstream to use http 1.1 even when the upstream wants to use http2

If this is not done, the client connecting to the proxy receives a HTTP 426 error

This is the output on a docker pull

sudo docker pull harbor.<REDACTED>/5gdmc/proj_hss/5g/docker_images/eric-udm-udrproxy:1.8.6
Error response from daemon: error parsing HTTP 426 response body: unexpected end of JSON input: ""

And the container logs for d-r-p show the following:

Starting nginx! Have a nice day.
{"access_time":"05/Aug/2021:06:20:57 +0000","upstream_cache_status":"","method":"GET","uri":"/v2/","request_type":"unknown","status":"426","bytes_sent":"0","upstream_response_time":"0.172","host":"harbor.<REDACTED>","proxy_host":"harbor.<REDACTED>","upstream":"<REDACTED>:443"}
{"access_time":"05/Aug/2021:06:20:57 +0000","upstream_cache_status":"MISS","method":"GET","uri":"/v2/5gdmc/proj_hss/5g/docker_images/eric-udm-udrproxy/manifests/1.8.6","request_type":"manifest-secondary","status":"426","bytes_sent":"0","upstream_response_time":"0.152","host":"harbor.<REDACTED>","proxy_host":"harbor.<REDACTED>","upstream":"<REDACTED>:443"}

curl output

* Uses proxy env variable https_proxy == '<REDACTED>:3128/'
*   Trying 10.99.206.253...
* TCP_NODELAY set
* Connected to <REDACTED> (10.99.206.253) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to harbor.<REDACTED>:443
> CONNECT harbor.<REDACTED>:443 HTTP/1.1
> Host: harbor.<REDACTED>:443
> User-Agent: curl/7.60.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=NL; ST=Noord Holland; L=Amsterdam; O=ME; OU=IT; CN=DockerMirrorBox Web Cert<REDACTED>
*  start date: Aug  5 06:20:39 2021 GMT
*  expire date: Aug  5 06:20:39 2022 GMT
*  subjectAltName: host "harbor.<REDACTED>" matched cert's "harbor.<REDACTED>"
*  issuer: C=NL; ST=Noord Holland; L=Amsterdam; O=ME; OU=IT; CN=DockerMirrorBox Intermediate IA <REDACTED>.
*  SSL certificate verify ok.
> GET /v2 HTTP/1.1
> Host: harbor.<REDACTED>
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 426 Upgrade Required
< Server: nginx/1.20.1
< Date: Thu, 05 Aug 2021 06:26:08 GMT
< Content-Length: 0
< Connection: keep-alive
<
* Connection #0 to host <REDACTED> left intact

[hishamanver]

@rpardini does this make sense?

[rpardini]

Hi, I've personally not received 426 from upstream registries. Dunno what's up there.
I know nginx can only talk 1.1 to upstreams, the Upgrade/Connection hack is the same as for websockets.
What is the connection being upgraded to?

[rpardini]

I can see the value in this, but it can't be the default behaviour. Please hide it with an ENV check and include file.

[hishamanver]

done, please see #128