diff --git a/api/api_test.go b/api/api_test.go index b2b851df6e..d9059eab15 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -5,6 +5,8 @@ import ( "net" "net/http" "testing" + + "golang.org/x/net/http2" ) // testHTTPServer creates a test HTTP server that handles requests until @@ -17,6 +19,9 @@ func testHTTPServer( } server := &http.Server{Handler: handler} + if err := http2.ConfigureServer(server, nil); err != nil { + t.Fatal(err) + } go server.Serve(ln) config := DefaultConfig() diff --git a/api/client.go b/api/client.go index fa06d46cef..c7b638c794 100644 --- a/api/client.go +++ b/api/client.go @@ -11,6 +11,8 @@ import ( "sync" "time" + "golang.org/x/net/http2" + "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" "github.com/sethgrid/pester" @@ -84,8 +86,7 @@ type TLSConfig struct { // setting the `VAULT_ADDR` environment variable. func DefaultConfig() *Config { config := &Config{ - Address: "https://127.0.0.1:8200", - + Address: "https://127.0.0.1:8200", HttpClient: cleanhttp.DefaultClient(), } config.HttpClient.Timeout = time.Second * 60 @@ -104,7 +105,6 @@ func DefaultConfig() *Config { // ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client. func (c *Config) ConfigureTLS(t *TLSConfig) error { - if c.HttpClient == nil { c.HttpClient = DefaultConfig().HttpClient } @@ -247,6 +247,11 @@ func NewClient(c *Config) (*Client, error) { c.HttpClient = DefaultConfig().HttpClient } + tp := c.HttpClient.Transport.(*http.Transport) + if err := http2.ConfigureTransport(tp); err != nil { + return nil, err + } + redirFunc := func() { // Ensure redirects are not automatically followed // Note that this is sane for the API client as it has its own diff --git a/api/ssh_agent_test.go b/api/ssh_agent_test.go index 915fbd48e8..dfef4b84aa 100644 --- a/api/ssh_agent_test.go +++ b/api/ssh_agent_test.go @@ -2,9 +2,9 @@ package api import ( "fmt" + "net/http" "strings" "testing" - "net/http" ) func TestSSH_CreateTLSClient(t *testing.T) { diff --git a/command/server.go b/command/server.go index 31da804f84..09658b9494 100644 --- a/command/server.go +++ b/command/server.go @@ -16,6 +16,8 @@ import ( "syscall" "time" + "golang.org/x/net/http2" + colorable "github.com/mattn/go-colorable" log "github.com/mgutz/logxi/v1" @@ -597,6 +599,10 @@ CLUSTER_SYNTHESIS_COMPLETE: // Initialize the HTTP server server := &http.Server{} + if err := http2.ConfigureServer(server, nil); err != nil { + c.Ui.Output(fmt.Sprintf("Error configuring server for HTTP/2: %s", err)) + return 1 + } server.Handler = handler for _, ln := range lns { go server.Serve(ln) diff --git a/http/forwarding_test.go b/http/forwarding_test.go index 17099dfb91..fdc3b76fc1 100644 --- a/http/forwarding_test.go +++ b/http/forwarding_test.go @@ -199,7 +199,9 @@ func testHTTP_Forwarding_Stress_Common(t *testing.T, rpc, parallel bool, num uin transport := &http.Transport{ TLSClientConfig: cores[0].TLSConfig, } - http2.ConfigureTransport(transport) + if err := http2.ConfigureTransport(transport); err != nil { + t.Fatal(err) + } client := &http.Client{ Transport: transport, @@ -499,6 +501,9 @@ func TestHTTP_Forwarding_ClientTLS(t *testing.T) { transport := cleanhttp.DefaultTransport() transport.TLSClientConfig = cores[0].TLSConfig + if err := http2.ConfigureTransport(transport); err != nil { + t.Fatal(err) + } client := &http.Client{ Transport: transport, @@ -558,13 +563,8 @@ func TestHTTP_Forwarding_ClientTLS(t *testing.T) { //time.Sleep(4 * time.Hour) for _, addr := range addrs { - config := api.DefaultConfig() - config.Address = addr - config.HttpClient = client - client, err := api.NewClient(config) - if err != nil { - t.Fatal(err) - } + client := cores[0].Client + client.SetAddress(addr) secret, err := client.Logical().Write("auth/cert/login", nil) if err != nil { diff --git a/http/sys_wrapping_test.go b/http/sys_wrapping_test.go index e77ffd3a98..9c27ebb81e 100644 --- a/http/sys_wrapping_test.go +++ b/http/sys_wrapping_test.go @@ -2,13 +2,11 @@ package http import ( "encoding/json" - "fmt" "net/http" "reflect" "testing" "time" - cleanhttp "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/vault" @@ -37,24 +35,11 @@ func TestHTTP_Wrapping(t *testing.T) { vault.TestWaitActive(t, core) root := cores[0].Root - - transport := cleanhttp.DefaultTransport() - transport.TLSClientConfig = cores[0].TLSConfig - httpClient := &http.Client{ - Transport: transport, - } - addr := fmt.Sprintf("https://127.0.0.1:%d", cores[0].Listeners[0].Address.Port) - config := api.DefaultConfig() - config.Address = addr - config.HttpClient = httpClient - client, err := api.NewClient(config) - if err != nil { - t.Fatal(err) - } + client := cores[0].Client client.SetToken(root) // Write a value that we will use with wrapping for lookup - _, err = client.Logical().Write("secret/foo", map[string]interface{}{ + _, err := client.Logical().Write("secret/foo", map[string]interface{}{ "zip": "zap", }) if err != nil { diff --git a/http/testing.go b/http/testing.go index bda4819d4b..543b3e6670 100644 --- a/http/testing.go +++ b/http/testing.go @@ -6,6 +6,8 @@ import ( "net/http" "testing" + "golang.org/x/net/http2" + "github.com/hashicorp/vault/vault" ) @@ -36,6 +38,9 @@ func TestServerWithListener(t *testing.T, ln net.Listener, addr string, core *va Addr: ln.Addr().String(), Handler: mux, } + if err := http2.ConfigureServer(server, nil); err != nil { + t.Fatal(err) + } go server.Serve(ln) } diff --git a/physical/consul.go b/physical/consul.go index eecc988853..2d55a2ec7c 100644 --- a/physical/consul.go +++ b/physical/consul.go @@ -12,6 +12,8 @@ import ( "sync/atomic" "time" + "golang.org/x/net/http2" + log "github.com/mgutz/logxi/v1" "crypto/tls" @@ -188,6 +190,9 @@ func newConsulBackend(conf map[string]string, logger log.Logger) (Backend, error transport := cleanhttp.DefaultPooledTransport() transport.MaxIdleConnsPerHost = consts.ExpirationRestoreWorkerCount transport.TLSClientConfig = tlsClientConfig + if err := http2.ConfigureTransport(transport); err != nil { + return nil, err + } consulConf.HttpClient.Transport = transport logger.Debug("physical/consul: configured TLS") } diff --git a/vault/testing.go b/vault/testing.go index 755875d4f4..ea744d747d 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -620,6 +620,9 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal server1 := &http.Server{ Handler: handlers[0], } + if err := http2.ConfigureServer(server1, nil); err != nil { + t.Fatal(err) + } for _, ln := range c1lns { go server1.Serve(ln) } @@ -639,6 +642,9 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal server2 := &http.Server{ Handler: handlers[1], } + if err := http2.ConfigureServer(server2, nil); err != nil { + t.Fatal(err) + } for _, ln := range c2lns { go server2.Serve(ln) } @@ -658,6 +664,9 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal server3 := &http.Server{ Handler: handlers[2], } + if err := http2.ConfigureServer(server3, nil); err != nil { + t.Fatal(err) + } for _, ln := range c3lns { go server3.Serve(ln) } @@ -803,7 +812,6 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal getAPIClient := func(port int) *api.Client { transport := cleanhttp.DefaultPooledTransport() transport.TLSClientConfig = tlsConfig - http2.ConfigureTransport(transport) client := &http.Client{ Transport: transport, CheckRedirect: func(*http.Request, []*http.Request) error {