From b19307f1be53ce92a6c2448a1fe3f965ebddde21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 16 Dec 2025 10:56:33 +0100 Subject: [PATCH 1/2] allow http2 connections to proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- .woodpecker.star | 2 +- pkg/service/http/service.go | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.woodpecker.star b/.woodpecker.star index 96bc55d3da..ceeb8172e1 100644 --- a/.woodpecker.star +++ b/.woodpecker.star @@ -1231,7 +1231,7 @@ def wopiValidatorTests(ctx, storage, wopiServerType, accounts_hash_difficulty = "commands": [ "curl -v -X PUT '%s/remote.php/webdav/test.wopitest' -k --fail --retry-connrefused --retry 7 --retry-all-errors -u admin:admin -D headers.txt" % OC_URL, "cat headers.txt", - "export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*Oc-Fileid: //p')", + "export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*oc-fileid: //Ip')", "export URL=\"%s/app/open?app_name=FakeOffice&file_id=$FILE_ID\"" % OC_URL, "export URL=$(echo $URL | tr -d '[:cntrl:]')", "curl -v -X POST \"$URL\" -k --fail --retry-connrefused --retry 7 --retry-all-errors -u admin:admin > open.json", diff --git a/pkg/service/http/service.go b/pkg/service/http/service.go index ae8d67082f..4c184c6164 100644 --- a/pkg/service/http/service.go +++ b/pkg/service/http/service.go @@ -49,6 +49,8 @@ func NewService(opts ...Option) (Service, error) { } tlsConfig := &tls.Config{ Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS12, + NextProtos: []string{"h2", "http/1.1"}, } mServer = mhttps.NewServer(server.TLSConfig(tlsConfig)) } else { From 79a0fe0cec07be381949fbd94bf50451d4c0d786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 16 Dec 2025 14:34:22 +0100 Subject: [PATCH 2/2] devtools: use http2 for backend connection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- devtools/deployments/opencloud_full/docker-compose.yml | 5 +++++ devtools/deployments/opencloud_full/opencloud.yml | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/devtools/deployments/opencloud_full/docker-compose.yml b/devtools/deployments/opencloud_full/docker-compose.yml index 99179f58aa..3e2d806998 100644 --- a/devtools/deployments/opencloud_full/docker-compose.yml +++ b/devtools/deployments/opencloud_full/docker-compose.yml @@ -19,6 +19,11 @@ services: - "--entryPoints.http.http.redirections.entryPoint.to=https" - "--entryPoints.http.http.redirections.entryPoint.scheme=https" - "--entryPoints.https.address=:443" + # http2 optimizations + - "--entryPoints.https.http2.maxConcurrentStreams=512" + - "--serversTransport.maxIdleConnsPerHost=100" + # allow self signed certificate from OpenCloud + - "--serversTransport.insecureSkipVerify=true" # change default timeouts for long-running requests # this is needed for webdav clients that do not support the TUS protocol - "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h" diff --git a/devtools/deployments/opencloud_full/opencloud.yml b/devtools/deployments/opencloud_full/opencloud.yml index afe703140d..1c8790dcf2 100644 --- a/devtools/deployments/opencloud_full/opencloud.yml +++ b/devtools/deployments/opencloud_full/opencloud.yml @@ -25,7 +25,7 @@ services: OC_LOG_COLOR: "${LOG_PRETTY:-false}" OC_LOG_PRETTY: "${LOG_PRETTY:-false}" # do not use SSL between Traefik and OpenCloud - PROXY_TLS: "false" + PROXY_TLS: "true" # make the REVA gateway accessible to the app drivers GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # INSECURE: needed if OpenCloud / Traefik is using self generated certificates @@ -72,6 +72,7 @@ services: - "traefik.http.routers.opencloud.tls.certresolver=http" - "traefik.http.routers.opencloud.service=opencloud" - "traefik.http.services.opencloud.loadbalancer.server.port=9200" + - "traefik.http.services.opencloud.loadbalancer.server.scheme=https" logging: driver: ${LOG_DRIVER:-local} restart: always