Using HTTP/2 on Windows Server 2016 with TLS/SSL termination

Question

I'm looking into the possibility of using Windows Server 2016 for a group of web servers which are behind a load balancer that uses SSL offloading.

For me, the biggest advantage of Windows Server 2016 over 2012 is that the HTTP/2 protocol can be used. However, because HTTP/2 is generally being implemented against HTTPS I'm concerned that requests will not be recognised as HTTPS because they arrive as HTTP (albeit with an x-forwarded-proto header). I did look and found a few resources on it but there isn't a lot of concrete evidence.

Does anyone know if IIS will support this setup and still send the response over HTTP/2, or will all traffic simply fall back to HTTP/1.1? Is there a way to configure/trick (!) IIS into using HTTP/2 on a request which may look unsecure?

Thanks.

Edit: To clarify, the load balancer will send x-forwarded-proto:https to the server, but the requesting application sees it as unsecure because of the SSL offloading.

Answer 1

As pointed out in the blog post you linked (and confirmed when it turned into official docs here), IIS will only use the HTTP/2 protocol when a TLS connection has been established to the IIS server.

As implemented today in IIS 10, HTTP/2 is identified by using ALPN during the TLS handshake. If there's no ALPN nor TLS, there will be no HTTP/2. See this BUILD talk from 2015 starting at about 5'06" and keep in mind that IIS does not implement the HTTP/1.1 upgrade mechanism (as stated at 8'46" in the video).

In your scenario, it's almost certainly the case that the load balancer will establish clear TCP connections and send HTTP/1.1 requests to the back-end servers. By the time IIS can even see the x-forwarded-proto header, the connection has already been established and the HTTP/1.1 protocol has already been identified.

Now, it's possible that your load balancer can support HTTP/2 itself, so your end users' browsers will be able to multiplex requests and responses with the load balancer while it translates those to HTTP/1.1 requests and responses to your back-end servers.

It's also possible that your load balancer could establish TLS connections to the back-end servers and use HTTP/2, but this would mostly defeat the point of SSL offloading.