)]}'
{"templates/service.j2":[{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"c4259200e87d69adb0698b3bc676667789b602dc","unresolved":true,"context_lines":[{"line_number":53,"context_line":"{% else %}"},{"line_number":54,"context_line":"{% set haproxy_ssl_path\u003dhaproxy_ssl_cert_path + \"/haproxy_\" + (haproxy_host | default(ansible_facts[\u0027hostname\u0027])) + \"-\" + ((vip_interface is truthy) | ternary(vip_address ~ \u0027-\u0027 ~ vip_interface, vip_address)) + \".pem\" %}"},{"line_number":55,"context_line":"frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}"},{"line_number":56,"context_line":"    bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(\u0027 interface \u0027 ~ vip_interface, \u0027\u0027) }} {% if (service.haproxy_ssl | default(false) | bool) and (loop.index \u003d\u003d 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ service.haproxy_ssl_path | default(haproxy_ssl_path) }}{% if service.haproxy_frontend_h2 | default(False) and request_option \u003d\u003d \"http\" %} alpn h2,http/1.1{% endif %}{% else %}{% if service.haproxy_frontend_h2 | default(False) and request_option \u003d\u003d \"http\"%} proto h2{% endif %}{% endif %}"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"{% if request_option \u003d\u003d \"http\" %}"},{"line_number":59,"context_line":"    option httplog"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"56321d5f_696bd4b4","line":56,"updated":"2023-08-17 21:28:22.000000000","message":"maybe I don\u0027t understand it correctly, but does it set http/2 protocol for non-tls frontends?\n\nI\u0027m not sure if it\u0027s a good idea because(correct me if i\u0027m wrong) all browsers do not support HTTP/2 without TLS[1].\n\n[1] https://stackoverflow.com/questions/46788904/why-do-web-browsers-not-support-h2c-http-2-without-tls\n\nit\u0027s from 2017 so something might have changed since that time","commit_id":"2e499c045b35787d1e16f1bdf09593730f36b585"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"c2370e7a75e24bfbfba2505e3a09efbe73ad473d","unresolved":true,"context_lines":[{"line_number":53,"context_line":"{% else %}"},{"line_number":54,"context_line":"{% set haproxy_ssl_path\u003dhaproxy_ssl_cert_path + \"/haproxy_\" + (haproxy_host | default(ansible_facts[\u0027hostname\u0027])) + \"-\" + ((vip_interface is truthy) | ternary(vip_address ~ \u0027-\u0027 ~ vip_interface, vip_address)) + \".pem\" %}"},{"line_number":55,"context_line":"frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}"},{"line_number":56,"context_line":"    bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(\u0027 interface \u0027 ~ vip_interface, \u0027\u0027) }} {% if (service.haproxy_ssl | default(false) | bool) and (loop.index \u003d\u003d 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ service.haproxy_ssl_path | default(haproxy_ssl_path) }}{% if service.haproxy_frontend_h2 | default(False) and request_option \u003d\u003d \"http\" %} alpn h2,http/1.1{% endif %}{% else %}{% if service.haproxy_frontend_h2 | default(False) and request_option \u003d\u003d \"http\"%} proto h2{% endif %}{% endif %}"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"{% if request_option \u003d\u003d \"http\" %}"},{"line_number":59,"context_line":"    option httplog"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"573c2f59_b61aef58","line":56,"in_reply_to":"56321d5f_696bd4b4","updated":"2023-08-22 13:52:30.000000000","message":"Yes, it does enable h2 withough TLS. Though according to my test, even native curl does support it.\n\nThough I am not proposing to add it by default. As https://review.opendev.org/c/openstack/openstack-ansible/+/891575 enables HTTP/2 only in case when all VIPs are covered with TLS.\n\nThough I can imagine that some ppl might want to enable HTTP/2 regardless. So if you don\u0027t enable TLS and supply `haproxy_frontend_h2: True` to the service - it\u0027s on you.","commit_id":"2e499c045b35787d1e16f1bdf09593730f36b585"}]}
