Envoy not serving ALPN, http2 over https to web browsers #168
Description
Envoy supports http2, and browsers request it via ALPN, but currently envoy as configured via contour doesn't offer any protocols via alpn so clients fall back to http/1.1 (sample below using curl).
Based on the envoy docs (https://www.envoyproxy.io/docs/envoy/latest/api-v2/sds.proto#commontlscontext) alpn_protocols should be set to h2,http/1.1. I'd probably say do it on all tls contexts by default, although probably would be most sane to also make a annotation to override
$curl -v --http2 https://app.example.com
* Rebuilt URL to: https://app.example.com/
* Trying 1.2.3.4...
* TCP_NODELAY set
* Connected to app.example.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=app.example.com
* start date: Jan 17 01:03:39 2018 GMT
* expire date: Apr 17 01:03:39 2018 GMT
* subjectAltName: host "app.example.com" matched cert's "app.example.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: app.example.com
> User-Agent: curl/7.57.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: text/html; charset=UTF-8
< date: Thu, 18 Jan 2018 23:51:10 GMT
< x-envoy-upstream-service-time: 0
< server: envoy
< transfer-encoding: chunked
<