feat(traefik): add HTTP_PROXY_DISABLE_HTTP2 to force HTTP/1.1 on TLS …#99
Open
lussoluca wants to merge 1 commit into
Open
feat(traefik): add HTTP_PROXY_DISABLE_HTTP2 to force HTTP/1.1 on TLS …#99lussoluca wants to merge 1 commit into
lussoluca wants to merge 1 commit into
Conversation
Member
|
@lussoluca should we make this the default option ? |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds an opt-in mechanism to force HTTP/1.1 over TLS for the Traefik
frontend, intended as a workaround for stuck/zombie browser HTTP/2 sessions on
macOS Docker Desktop setups.
Changes:
- Add
HTTP_PROXY_DISABLE_HTTP2env var to thetraefikservice (default
false). - Extend the Traefik container entrypoint to generate/remove a dynamic config
that restricts TLS ALPN tohttp/1.1when the flag is enabled. - Document the new option and rationale in the README under HTTPS Support.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| README.md | Documents the new HTTP/2-disable workaround and how to enable it. |
| compose.yml | Exposes HTTP_PROXY_DISABLE_HTTP2 on the Traefik service with a safe default. |
| build/traefik/entrypoint.sh | Generates/removes a dynamic Traefik TLS config to force ALPN to HTTP/1.1. |
Comment on lines
+98
to
+110
| generate_disable_http2_config() { | ||
| if [ "${HTTP_PROXY_DISABLE_HTTP2:-false}" = "true" ]; then | ||
| echo "Disabling HTTP/2 (HTTP_PROXY_DISABLE_HTTP2=true): forcing ALPN to http/1.1" | ||
| cat > "${DISABLE_HTTP2_FILE}" << 'EOF' | ||
| # Auto-generated by entrypoint.sh when HTTP_PROXY_DISABLE_HTTP2=true. | ||
| # Restricts the TLS ALPN list to http/1.1, preventing HTTP/2 negotiation | ||
| # on TLS entrypoints. | ||
| tls: | ||
| options: | ||
| default: | ||
| alpnProtocols: | ||
| - http/1.1 | ||
| EOF |
Author
I don't know if switching to HTTP 1 can have any effect on other stacks. I've tested this only with pkg/drupal |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an opt-in environment variable
HTTP_PROXY_DISABLE_HTTP2on thetraefikservice. When set totrue, the entrypoint writes a dynamic Traefik config that restricts TLS ALPN negotiation tohttp/1.1, so browsers fall back from HTTP/2 to HTTP/1.1 over TLS.Default is
false— existing setups are unaffected.Motivation
On macOS with Docker Desktop, long-lived HTTP/2 sessions between the browser and the proxy can become zombies: the host-side TCP socket (terminated by vpnkit) stays alive while the container-side socket has already closed, and no FIN/RST is propagated across the loopback shim. The browser keeps multiplexing new requests into a dead session, and all
.lochosts time out (ERR_TIMED_OUT) until the browser is fully restarted. Command-line clients (curl, wget) are not affected because they open a fresh TCP connection per request.HTTP/1.1 detects dead connections aggressively at the socket layer (the next write returns
EPIPEimmediately) and avoids this entire class of bugs, at the cost of losing HTTP/2 multiplexing for local development traffic — usually an acceptabletrade-off for a dev-only proxy.
Implementation
build/traefik/entrypoint.sh: newgenerate_disable_http2_configfunction. WhenHTTP_PROXY_DISABLE_HTTP2=true, writes/traefik/dynamic/disable-http2.ymlwithtls.options.default.alpnProtocols = [http/1.1]. Whenfalse(or unset), removes the file if it exists, so toggling the flag off cleans up.compose.yml: surfaces the variable on thetraefikservice with a safefalsedefault.README.md: new subsection under HTTPS Support explaining when to enable it.Verification
Smoke-tested the entrypoint locally with a stubbed
exec traefik:false→ no dynamic file written, no behavior change.true→disable-http2.ymlwritten with expected content.false→ file removed on next startup.End-to-end on a real proxy: with the flag on, browser network panel reports
HTTP/1.1instead ofh2for.locsites;curl --http2falls back without errors;openssl s_client -alpn h2,http/1.1reports the negotiated protocol ashttp/1.1.Compatibility
HTTP_PROXY_DISABLE_HTTP2=false).