Thank you for the additional context, Carlo. I agree the loss of support
for non-TLS requests would not only restrictive, but potentially backwards
incompatible.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Feb 2, 2016 at 9:05 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

With this limitation in mind, an upstream component could still terminate
TLS, but couldn't Gorouter also?

Just as a small followup, consider that companies might have internal
regulations mandating how and where SSL termination needs to happen
(Rakuten is among them, for example...). As described in my previous mail,
there are workarounds (e.g. using a separate TLS session between LB/RP and
gorouter) but this may add further deployment complexity (and overhead).

With this limitation in mind, an upstream component could still terminate
TLS, but couldn't Gorouter also?

Just as a small followup, consider that companies might have internal regulations mandating how and where SSL termination needs to happen (Rakuten is among them, for example...). As described in my previous mail, there are workarounds (e.g. using a separate TLS session between LB/RP and gorouter) but this may add further deployment complexity (and overhead).

Shannon,
in our design we have a reverse proxy colocated with the gorouter. [1] While we can clearly reencrypt data going over loopback TCP (or Unix sockets :D) to the gorouter... it sounds a little bit overkill.

[1] https://github.com/cloudfoundry/gorouter/issues/110#issuecomment-169204139

Hi Carlo,

Thank you for letting us know, I wasn't aware of this.

With this limitation in mind, an upstream component could still terminate
TLS, but couldn't Gorouter also? Although I recognize the limitation, it's
worth noting that many operators have asked to secure more of the legs on
the way to the app, not fewer. Supporting a secure connection from the LB
to Gorouter has been a priority for us. A few things we're working on:

- A frequently requested deployment model has been to pass the TCP
connection through at the LB and terminate at Gorouter but until recently
this was not supported as internal components (UAA and apps) rely on
X-Forwarded-Proto to enforce secure external requests and Gorouter was not
appending it if it wasn't present. We've addressed that for the next
release.
- With TCP routing, we will be able to terminate TLS connections at the
app.
- We'll be putting a bunch of effort soon into exploring performance
improvement of SSL termination in Gorouter

Best,

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Feb 2, 2016 at 5:43 PM, Ferraris, Carlo | Carlo | OPS <
carlo.ferraris(a)rakuten.com> wrote:

Just my two cents: right now HTTP/2 support in Go 1.6 does not include
support for h2c (HTTP/2 over TCP) [1]. It only supports h2 (HTTP/2 over
TLS). So basically SSL termination before the gorouter won’t be possible
(unless somebody implements h2c in gorouter).



[1] https://github.com/golang/go/issues/14141

Just my two cents: right now HTTP/2 support in Go 1.6 does not include support for h2c (HTTP/2 over TCP) [1]. It only supports h2 (HTTP/2 over TLS). So basically SSL termination before the gorouter won't be possible (unless somebody implements h2c in gorouter).

[1] https://github.com/golang/go/issues/14141

We will certainly be exploring what golang 1.6 means for http2 support in
Gorouter.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Mon, Feb 1, 2016 at 5:35 PM, Gwenn Etourneau <getourneau(a)pivotal.io>
wrote:

Putting scoen(a)pivotal.io in the loop.



On Tue, Feb 2, 2016 at 10:34 AM, Gwenn Etourneau <getourneau(a)pivotal.io>
wrote:

There is plan to support 1.6 for the GoRouter
https://twitter.com/shalako/status/692570344595570688
No sure if this include http2.



On Tue, Feb 2, 2016 at 10:17 AM, taichi nakashima <nsd22843(a)gmail.com>
wrote:

Hi

I'm also interesting this topic. Since Go1.6 will support h2 in std lib
by default, is there any plans gorouter supports it ?

--
Taichi Nakashima

2016年2月2日(火) 8:09 Daniel Mikusa <dmikusa(a)pivotal.io>:

I think this question could be better worded as, what are the plans for
HTTP/2 support in Cloud Foundry?

Dan


On Feb 1, 2016, at 5:09 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

Hi Yusuf,

This mailing list is for discussions about the open source Cloud
Foundry project. For questions about Pivotal Web Services, please have a
look at https://support.run.pivotal.io/home.

Best,
Amit

On Mon, Feb 1, 2016 at 1:40 PM, Yusuf Tor <yusuf(a)yusuftor.co.uk> wrote:

Hi,

Just wondering if there are any plans for HTTP/2 support being added
to Pivotal Web Services?

Thanks

Putting scoen(a)pivotal.io in the loop.



On Tue, Feb 2, 2016 at 10:34 AM, Gwenn Etourneau <getourneau(a)pivotal.io>
wrote:

There is plan to support 1.6 for the GoRouter
https://twitter.com/shalako/status/692570344595570688
No sure if this include http2.



On Tue, Feb 2, 2016 at 10:17 AM, taichi nakashima <nsd22843(a)gmail.com>
wrote:

Hi

I'm also interesting this topic. Since Go1.6 will support h2 in std lib
by default, is there any plans gorouter supports it ?

--
Taichi Nakashima

2016年2月2日(火) 8:09 Daniel Mikusa <dmikusa(a)pivotal.io>:

I think this question could be better worded as, what are the plans for
HTTP/2 support in Cloud Foundry?

Dan


On Feb 1, 2016, at 5:09 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

Hi Yusuf,

This mailing list is for discussions about the open source Cloud Foundry
project. For questions about Pivotal Web Services, please have a look at
https://support.run.pivotal.io/home.

Best,
Amit

On Mon, Feb 1, 2016 at 1:40 PM, Yusuf Tor <yusuf(a)yusuftor.co.uk> wrote:

Hi,

Just wondering if there are any plans for HTTP/2 support being added to
Pivotal Web Services?

Thanks

There is plan to support 1.6 for the GoRouter
https://twitter.com/shalako/status/692570344595570688
No sure if this include http2.



On Tue, Feb 2, 2016 at 10:17 AM, taichi nakashima <nsd22843(a)gmail.com>
wrote:

Hi

I'm also interesting this topic. Since Go1.6 will support h2 in std lib by
default, is there any plans gorouter supports it ?

--
Taichi Nakashima

2016年2月2日(火) 8:09 Daniel Mikusa <dmikusa(a)pivotal.io>:

I think this question could be better worded as, what are the plans for
HTTP/2 support in Cloud Foundry?

Dan


On Feb 1, 2016, at 5:09 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

Hi Yusuf,

This mailing list is for discussions about the open source Cloud Foundry
project. For questions about Pivotal Web Services, please have a look at
https://support.run.pivotal.io/home.

Best,
Amit

On Mon, Feb 1, 2016 at 1:40 PM, Yusuf Tor <yusuf(a)yusuftor.co.uk> wrote:

Hi,

Just wondering if there are any plans for HTTP/2 support being added to
Pivotal Web Services?

Thanks

Hi

I'm also interesting this topic. Since Go1.6 will support h2 in std lib by
default, is there any plans gorouter supports it ?

--
Taichi Nakashima

2016年2月2日(火) 8:09 Daniel Mikusa <dmikusa(a)pivotal.io>:

I think this question could be better worded as, what are the plans for HTTP/2 support in Cloud Foundry?

Dan

Hi Yusuf,

This mailing list is for discussions about the open source Cloud Foundry
project. For questions about Pivotal Web Services, please have a look at
https://support.run.pivotal.io/home.

Best,
Amit

Hi,

Just wondering if there are any plans for HTTP/2 support being added to Pivotal Web Services?

Thanks