Response phase skipped when HTTP/2 is in use

Hello, I’m developing an authentication plugin for Kong that utilizes both the access and response phases of the request lifecycle. Normally, on HTTP/1.1, both the request and response are validated by our plugin before being allowed to continue through Kong. When using HTTP/2.0 however, I see the following message logged in error.log:

2022/06/21 21:30:53 [notice] 195011#0: *13744 [lua] init.lua:981: access(): response buffering was turned off: incompatible HTTP version (2), client: omitted, server: kong, request: “GET /? HTTP/2.0”, host: “omitted”

After this, the response phase of my plugin does not get called, but the response is allowed to continue to the client anyway. This effectively bypasses authentication on the server response! Is this intended? Is there a workaround for this, perhaps by disabling HTTP/2.0 communications through Kong?

This is documented here.

If a module implements the response function, Kong Gateway (OSS) will automatically activate the “buffered proxy” mode, as if the kong.service.request.enable_buffering() function had been called. Because of a current Nginx limitation, this doesn’t work for HTTP/2 or gRPC upstreams.

1 Like