Hi Carlo,

Thank you for letting us know, I wasn't aware of this.

With this limitation in mind, an upstream component could still terminate
TLS, but couldn't Gorouter also? Although I recognize the limitation, it's
worth noting that many operators have asked to secure more of the legs on
the way to the app, not fewer. Supporting a secure connection from the LB
to Gorouter has been a priority for us. A few things we're working on:

- A frequently requested deployment model has been to pass the TCP
connection through at the LB and terminate at Gorouter but until recently
this was not supported as internal components (UAA and apps) rely on
X-Forwarded-Proto to enforce secure external requests and Gorouter was not
appending it if it wasn't present. We've addressed that for the next
release.
- With TCP routing, we will be able to terminate TLS connections at the
app.
- We'll be putting a bunch of effort soon into exploring performance
improvement of SSL termination in Gorouter

Best,

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Feb 2, 2016 at 5:43 PM, Ferraris, Carlo | Carlo | OPS <
carlo.ferraris(a)rakuten.com> wrote:

Just my two cents: right now HTTP/2 support in Go 1.6 does not include
support for h2c (HTTP/2 over TCP) [1]. It only supports h2 (HTTP/2 over
TLS). So basically SSL termination before the gorouter won’t be possible
(unless somebody implements h2c in gorouter).



[1] https://github.com/golang/go/issues/14141