2
I'm looking into the possibility of using Windows Server 2016 for a group of web servers which are behind a load balancer that uses SSL offloading.
For me, the biggest advantage of Windows Server 2016 over 2012 is that the HTTP/2 protocol can be used. However, because HTTP/2 is generally being implemented against HTTPS I'm concerned that requests will not be recognised as HTTPS because they arrive as HTTP (albeit with an x-forwarded-proto
header). I did look and found a few resources on it but there isn't a lot of concrete evidence.
Does anyone know if IIS will support this setup and still send the response over HTTP/2, or will all traffic simply fall back to HTTP/1.1? Is there a way to configure/trick (!) IIS into using HTTP/2 on a request which may look unsecure?
Thanks.
Edit: To clarify, the load balancer will send x-forwarded-proto:https
to the server, but the requesting application sees it as unsecure because of the SSL offloading.
This is somewhat unclear. It seems like you wish to issue an
http:
call containingX-Forwarded-Protocol: https
and have it treated ashttps:
? This is doubtful as the resource you quoted says: "IIS currently supports HTTP/2 only over TLS". But it should be easy enough to test this on a WS2016 VM. – harrymc – 2017-08-04T12:15:39.297If Windows Server 2012 supports HTTP/2 then 2016 supports it. Only TLS 1.2+ is considered secure. Going forward that's the only cipher suite you should use. – Ramhound – 2017-08-04T12:15:58.070
@harrymc No, the
x-forwarded-proto
header has the valuehttps
, indicating that the origin request isHTTPS
. However, when the web server sees the request, the requesting url will have theHTTP
protocol. – Dan Atkinson – 2017-08-04T12:29:23.813@Ramhound That is not correct. Windows Server 2012 does not support HTTP/2. It's only available with Windows 10 and Server 2016. You can see the list of supported Windows platforms for HTTP/2 here
– Dan Atkinson – 2017-08-04T12:31:24.587You are reiterating that you will issue an
http:
URL withX-Forwarded-Protocol: https
. I repeat that this is doubtful and only a test will tell. – harrymc – 2017-08-04T12:42:20.177@harrymc If my test fails, that doesn't mean that there is conclusively no way of doing it, only that it doesn't support it out of the box.There may be another way of doing it, which my test would not show, hence why I'm here, asking this question! – Dan Atkinson – 2017-08-04T12:45:29.053
1
And if it succeeds? I must say that
– harrymc – 2017-08-04T14:20:05.597X-Forwarded-Protocol
seems like a security hole, basically just a "trust me" flag. You might need to turn off some safeguards (example).@harrymc Forgive me if I'm wrong but your example relates to the MitM attack used with
x-forwarded-for
and doesn't have anything to do withx-forwarded-proto
. I'm also not sure what such an attack vector would be for this? Please could you enlighten me? – Dan Atkinson – 2017-08-04T14:30:08.933That was just an example. I don't have any experience with it and there is absolutely no documentation. You are breaking new grounds there. – harrymc – 2017-08-04T15:05:03.703
Err... Wasn't expecting to see this message. Never mind. No need to join me in chat! Let us continue this discussion in chat. – Dan Atkinson – 2017-08-04T15:14:44.890