Http2Servlet
The Http2Servlet forwards HTTP/HTTPS requests to content providers in the backend, using HTTP/HTTPS over TCP/IP.
The servlet is still experimental and it supports only gRPC, this means there has to be a gRPC service behind the configured Url.
It does not support load balancing, rewriting, cookie caching, or similar operations.
ch::nevis::nevisproxy::servlet::connector::http::Http2Servlet
libBackendServlet.so.1
BC.Tracer.DebugProfile.NPHttp2Svt
Configuration
Url
Type: string
Usage Constraints: required
Syntax: http[s]://<hostname>[:<portnumber>]
Describes the URL to connect to the service.
CACertificateFile
Type: string
Usage Constraints: optional, mandatory if CheckPeerHostname is enabled
Specifies the file containing the CA certificate(s) that are used to check whether the peer’s node certificate is trusted. All the certificates in the file will be verified. PEM encoded files are supported. PKCS#11 URLs are not supported. If the attribute CACertificateFile attribute is not specified, the peer certificate will be trusted automatically.
For security reasons it is recommended that you always specify the CACertificateFile attribute.
ClientCertificateFile
Type: string
Usage Constraints: optional
Specifies the X509 node certificate that will be sent to the application server (if requested by a SSL/TLS CertificateRequest message). PEM encoded files are supported for node certificates and certificate chains. If the file contains a certificate chain then the certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
Client certificates are experimental when using TLSv1.3.
ClientKeyFile
Type: string
Usage Constraints: optional
The key for a TLS client certificate may be provided either in the same file as the certificate (specified with the ClientCertificateFile attribute), or it may be provided in a separate file specified with the ClientKeyFile attribute. Configure the ClientCertificateFile attribute only if both the certificate and the key are contained in the same file.
CheckPeerHostname
Type: boolean
Default and secure default: true
If enabled, among other validations, the DNS name will be checked against the CN/SAN of the certificate. Setting this parameter also requires setting the CACertificateFile.
SSLProtocolMin
Type: string
Usage Constraints: optional
Default: TLSv1.2
Secure Default: TLSv1.3
This parameter controls the minimum acceptable version of the SSL/TLS protocol to use for the connection. Valid values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3.
SSLProtocolMax
Type: string
Usage Constraints: optional
Default: TLSv1.3
This parameter controls the maximum acceptable version of the SSL/TLS protocol to use for the connection. Valid values are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3.
SSLCipherSuites
Type: string
Usage Constraints: optional
Default: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
Specifies the list of cipher suites to use for the SSL/TLS connection. This configuration applies to connections up to TLSv1.2.
SSLCipherSuites_TLSv1_3
Type: string
Usage Constraints: optional
Default: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Specifies the list of cipher suites specifically used for TLSv1.3 connections.
CrlFile
Type: string
Usage Constraints: optional
Specifies a file containing the Certificate Revocation List (CRL) in PEM format. This file is used for certificate validation during the SSL exchange. When configured, a CRL check is required against all elements of the certificate chain. This option is only effective when peer verification (via CheckPeerHostname) is enabled.
SSLCache
Type: string
Usage Constraints: required
Syntax: on or off (case-insensitive)
Default: on
This parameter enables or disables the use of the SSL session-ID cache. Setting this to off disables caching entirely, which may be required as a workaround if the backend has broken SSL implementation.
ConnectionPoolSize
Type: integer
Default: 100
This attribute defines the number of pooled TCP connections. A TCP connection is only put in the pool if it does not exceed the configured size.
CurlTraceConfig
Type: String
Default: http/2,ssl
With this parameter you can configure which trace components of the underlying curl library should be traced.
Trace components:
- tcp: Tracing of TCP socket handling: connect, sends, receives.
- ssl: Tracing of SSL/TLS operations.
- http/2: Details about HTTP/2 handling: frames, events, I/O, etc.
- dns: Tracing of DNS operations to resolve hostnames and HTTPS records.
- read: Traces reading of upload data from the application in order to send it to the server.
- ssls: Tracing of SSL Session handling, e.g. caching/import/export.
- write: Traces writing of download data, received from the server, to the application.
- all: all trace components enabled
- network: All components involved in bare network I/O, including the SSL layer.
- All components involved in transfer protocols
- some basic
HTTP/2andSSLinformation are logged regardless of what is configured - the trace group
NPHttp2Svtneeds to be set at least to INFO
Examples
Log details of HTTP/2 and SSL handling:
http/2,ssl
Log all details, except SSL handling:
all,-ssl
HostName
Type: string
Usage Constraints: optional
Defines the value to send to the backend as Host Header. If you do not set this attribute, the value of the attribute Url will be sent.
It is possible to define variables from the ENV and AUTH context, for example: ENV:HTTP_Host;. This makes it possible to use the Host header sent by the client.