Does Varnish 5.0 Support HTTP/2 for Backend Connections?

nginxvarnish

I have the following infrastructure:

80  ->  Varnish -> Backend (NGINX, port 8080)
443 ->  NGINX (SSL-Termination with HTTP/2 enabled) -> Varnish -> Backend (NGINX, port 8080)

I know that it is possible to enable HTTP/2 protocol for frontend connections using the -p feature=+http2 parameter for Varnish (port 80), but what about the backend connections? varnishlog -b shows me, that all of the backend communication is performed using HTTP/1.0 and HTTP/1.1.

I would be very pleased if someone could tell me what common practice is regarding Varnish and NGINX:

  • Is it possible to enable HTTP/2 for the backend connections?
  • Does it make any sense to do so regarding performance?
  • Does it make sense regarding performance to keep the -p feature=+http2 parameter enabled for the 443 -> NGINX (SSL-Termination with HTTP/2 enabled) -> Varnish communication in terms of performance?

Regarding the backend communication (which is not encrypted): I know that HTTP/2 is bound to TLS encryption, but maybe there is some tweak I haven't heard about, so that's why I think is better to ask in order to be 100% sure. Thanks for your understanding.

Best Answer

@Michael Hampton's answer is missing some points so here it goes:

Varnish is the one software that does HTTP/2 in Hitch+Varnish combo, but most of the browsers requires TLS connection in order for HTTP/2 to work. That is, TLS connection is required for HTTP/2, its base requirement nowadays.

Varnish Plus does support TLS, while Varnish open source doesn't.

As for the answers:

  • No, it is not possible to enable HTTP/2 for backend connections
  • It does not make any sense to do so regarding performance. The primary benefit of HTTP/2 is request multiplexing. It is not needed / not possible unless Varnish was able to parse HTML and then request all assets in parallel from backend, over HTTP/2. Nobody wants to make Varnish a browser :) as it's fine the way it is
  • No, it does not make sense regarding performance to keep the -p feature=+http2 parameter enabled for the 443 -> NGINX (SSL-Termination with HTTP/2 enabled). Because NGINX simply won't talk HTTP/2 to its backend (Varnish), similar to how Varnish won't talk HTTP/2 to its backend (NGINX+PHP-FPM for example), because it doesn't make sense (see earlier point).

That said:

  • It does make sense to keep -p feature=+http2 in a Hitch + Varnish combo.
  • It would also make sense to keep -p feature=+http2 in NGINX (stream) + Varnish combo IF NGINX's stream module had support for ALPN protocol negotiation. But it doesn't. So it can't terminate TLS "properly for HTTP/2 to work.
Related Topic