Fixed HTTP/2 support for the proxy middleware (#1300)

* Fixed HTTP/2 support for the proxy middleware

http.Transport instances whose TLSClientConfig, Dial, or DialTLS field
is non-nil will be configured without HTTP/2 support by default.

This commit adds the proper calls to http2.ConfigureTransport()
everywhere a http.Transport is created and thus fixes HTTP/2 in the
proxy middleware whenever insecure_skip_verify or keepalive is provided.

* Added HTTP/2 support check to TestReverseProxyInsecureSkipVerify

caddyhttp/proxy/proxy_test.go

@@ -3,6 +3,7 @@ package proxy
 import (
 	"bufio"
 	"bytes"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -26,6 +27,17 @@ import (
 	"golang.org/x/net/websocket"
 )
 
+// This is a simple wrapper around httptest.NewTLSServer()
+// which forcefully enables (among others) HTTP/2 support.
+// The httptest package only supports HTTP/1.1 by default.
+func newTLSServer(handler http.Handler) *httptest.Server {
+	ts := httptest.NewUnstartedServer(handler)
+	ts.TLS = new(tls.Config)
+	ts.TLS.NextProtos = []string{"h2"}
+	ts.StartTLS()
+	return ts
+}
+
 func TestReverseProxy(t *testing.T) {
 	log.SetOutput(ioutil.Discard)
 	defer log.SetOutput(os.Stderr)
@@ -69,8 +81,10 @@ func TestReverseProxyInsecureSkipVerify(t *testing.T) {
 	defer log.SetOutput(os.Stderr)
 
 	var requestReceived bool
-	backend := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	var requestWasHTTP2 bool
+	backend := newTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		requestReceived = true
+		requestWasHTTP2 = r.ProtoAtLeast(2, 0)
 		w.Write([]byte("Hello, client"))
 	}))
 	defer backend.Close()
@@ -90,6 +104,9 @@ func TestReverseProxyInsecureSkipVerify(t *testing.T) {
 	if !requestReceived {
 		t.Error("Even with insecure HTTPS, expected backend to receive request, but it didn't")
 	}
+	if !requestWasHTTP2 {
+		t.Error("Even with insecure HTTPS, expected proxy to use HTTP/2")
+	}
 }
 
 func TestWebSocketReverseProxyNonHijackerPanic(t *testing.T) {

caddyhttp/proxy/reverseproxy.go

@@ -22,6 +22,8 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/net/http2"
+
 	"github.com/mholt/caddy/caddyhttp/httpserver"
 )
 
@@ -132,7 +134,7 @@ func NewSingleHostReverseProxy(target *url.URL, without string, keepalive int) *
 		// if keepalive is equal to the default,
 		// just use default transport, to avoid creating
 		// a brand new transport
-		rp.Transport = &http.Transport{
+		transport := &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
 			Dial: (&net.Dialer{
 				Timeout:   30 * time.Second,
@@ -142,10 +144,12 @@ func NewSingleHostReverseProxy(target *url.URL, without string, keepalive int) *
 			ExpectContinueTimeout: 1 * time.Second,
 		}
 		if keepalive == 0 {
-			rp.Transport.(*http.Transport).DisableKeepAlives = true
+			transport.DisableKeepAlives = true
 		} else {
-			rp.Transport.(*http.Transport).MaxIdleConnsPerHost = keepalive
+			transport.MaxIdleConnsPerHost = keepalive
 		}
+		http2.ConfigureTransport(transport)
+		rp.Transport = transport
 	}
 	return rp
 }
@@ -155,7 +159,7 @@ func NewSingleHostReverseProxy(target *url.URL, without string, keepalive int) *
 // since this transport skips verification.
 func (rp *ReverseProxy) UseInsecureTransport() {
 	if rp.Transport == nil {
-		rp.Transport = &http.Transport{
+		transport := &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
 			Dial: (&net.Dialer{
 				Timeout:   30 * time.Second,
@@ -164,6 +168,8 @@ func (rp *ReverseProxy) UseInsecureTransport() {
 			TLSHandshakeTimeout: 10 * time.Second,
 			TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
 		}
+		http2.ConfigureTransport(transport)
+		rp.Transport = transport
 	} else if transport, ok := rp.Transport.(*http.Transport); ok {
 		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}