Setting up HTTP2/hc2/grpc with traefik v2 and PHP-FPM

I’m trying to enable http2 (also referred to as hc2/gRPC depending on context). My platform is kubernetes and everything is setup as a container.

  1. My ingress is managed by traefik v2 and it already has Let’s Encrypt setup and working correctly
  2. Because I’m using FPM-PHP, I have an nginx container which is proxying the results to the actual nextcloud container. Since traefik does the SSL termination, traefik communicates with the nginx container over port 80 and the nginx has the upstream php provider set to the nextcloud container on port 9000.

The above is working correctly and I can access it over the internet with the correct certificates. My working nginx.conf is here. My working traefik IngressRoute is here.

Now I want to enable HTTP2. In traefik that should be already be essentially ready to go, it seems like all I need to add to the Ingressroute is scheme h2c:

kind: IngressRoute
  name: nextcloud
  namespace: nextcloud
    - websecure
  - match: Host(``)
    kind: Rule
    - name: nginx-next
      port: 443
      scheme: h2c
    certResolver: default

The issue I have is that on nginx, in order to enable http2, you have to have it listen on port 443 and use ssl, which also requires the use of certificates. I experimented with changing the listen directive to this:

listen 443 ssl http2;
listen [::]:443 ssl http2;

but by itself it failed because it needs a certificate if you have ssl enabled. I then tried to give it an self signed certificate but that is giving me an “internal server error” with the following logs:

Nginx: - - [16/Jan/2020:22:24:10 +0000] "PRI * HTTP/2.0" 400 157 "-" "-" "-" - - [16/Jan/2020:22:24:21 +0000] "PRI * HTTP/2.0" 400 157 "-" "-" "-"

Traefik logs don’t show any errors

Does anyone have a guide to setting up http2 when using a reverse proxy and also a separate nginx proxy for FPM?

did you succeed? I am interested in this setup too :wink: