Hello everyone,
I’m struggling to enable http2 on kong running as an ingress controller.
Seems to me everything is setup as it should.
spec:
containers:
- env:
- name: KONG_PG_PASSWORD
value: kong
- name: KONG_PG_HOST
value: kong-postgres
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: "off"
- name: KONG_NGINX_HTTP_INCLUDE
value: /opt/config/kong-prometheus.conf
- name: KONG_HTTP2
value: "on"
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:80, 0.0.0.0:443 ssl http2
from inside the container i see that kong is started properly.
/ # ps auxwww
PID USER TIME COMMAND
1 root 0:00 nginx: master process /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf
25 nobody 0:02 nginx: worker process
26 nobody 0:00 nginx: worker process
27 nobody 0:00 nginx: worker process
28 nobody 0:00 nginx: worker process
29 nobody 0:00 nginx: worker process
30 nobody 0:00 nginx: worker process
31 nobody 0:00 nginx: worker process
32 nobody 0:00 nginx: worker process
42 root 0:00 /bin/sh
57 root 0:00 /bin/sh
65 root 0:00 ps auxwww
/ #
/ # cat /usr/local/kong/nginx.conf
worker_processes auto;
daemon off;
pid pids/nginx.pid;
error_log /dev/stderr notice;
worker_rlimit_nofile 1048576;
events {
worker_connections 16384;
multi_accept on;
}
http {
include 'nginx-kong.conf';
}
relevant snippet from nginx-kong.conf
server {
server_name kong;
listen 0.0.0.0:80;
listen 0.0.0.0:443 ssl http2;
error_page 400 404 408 411 412 413 414 417 494 /kong_error_handler;
error_page 500 502 503 504 /kong_error_handler;
Yet, still when testing an api with curl it returns with http/1.1
curl --http2-v -H "apikey: REDACTED" https://api-ENDPOINT/health
[...]
* ALPN, offering h2
* ALPN, offering http/1.1
[...]
* ALPN, server accepted to use http/1.1
[...]
When i hit the same service using a plain old nginx ingress controller it works fine.
* ALPN, server accepted to use h2
[...]
< HTTP/2 200
< server: nginx/1.15.6
< date: Sat, 12 Jan 2019 19:57:07 GMT
< content-type: application/vnd.spring-boot.actuator.v2+json;charset=UTF-8
< access-control-allow-origin: *
< access-control-allow-methods: POST, GET, OPTIONS, DELETE
< access-control-max-age: 3600
< access-control-allow-headers: Content-Type, x-requested-with, X-Custom-Header, X-B3-TraceId, X-B3-SpanId, X-auth-token
< access-control-expose-headers: X-auth-token
< x-auth-token: fef52643-b4b6-4591-8143-106773d95f02
< strict-transport-security: max-age=15724800; includeSubDomains
I must be missing something simple