GitLab

Initial cleanup phase: all components used in the HTTP pass thru traffic shall be interconnected with the highest possible HTTP protocol:

• frontend haproxy
• ATS
• backend haproxy

The shall use SSL with locally generated certificates from local partition.

Tasks:

• make local caucase on each frontend node
• replace existing self-signed certificates with caucase ones
• make connection between frontend, ATS and backend haproxy on SSL, only one link
• make https-url really working
  • if url is present too then if present use it for requests incoming with X-Forwarded-Proto: https
  • otherwise use just like url, but emit warning
  • if https-only is true emit warning
  • do NOT make it passing differently via cluster
  • pass through the URL via ATS
• use ATS correctly
  • really pass a KEY as real URL coming from the client without any manipulation, as currently it’s very messy!

Feature phase: like incoming connections, outgoing connections from backend haproxy shall use the best possible protocol, which can be downgraded per slave with parameters:

• websocket-h2
  • new parameter, by default true
• enable-backend-http2
  • new parameter, by default true

Note: haproxy does not support HTTP/3 to the backends.