Codec Type
- Environment Variable:
CODEC_TYPE
- Config File Key:
codec_type
- Type:
string
- Default:
auto
(http1
in all-in-one mode)
Specifies the codec to use for downstream connections. Either auto
, http1
or http2
.
When auto
is specified the codec will be determined via TLS ALPN or protocol inference.
warning
With HTTP/2, browsers typically coalesce connections for the same IP address that use the same
TLS certificate. For example, you may have authenticate.localhost.pomerium.io
and
example.localhost.pomerium.io
using the same wildcard certificate (*.localhost.pomerium.io
)
and both pointing to 127.0.0.1
. Your browser sees this and re-uses the initial connection
it makes to example
for authenticate
. But unfortunately the routes necessary to handle
authenticate
don't exist on example
so the proxy cannot handle the request.
If this happens Pomerium will respond with a 421 Misdirected Request
status. Most browsers will attempt to
make the request on a new HTTP/2 connection. However not all browsers implement this behavior
(notably Safari), and users may end up seeing a blank page instead.
If you see this happen, there are several ways to mitigate the problem:
- Don't re-use TLS certificates for shared IP domains.
- Don't re-use IP addresses for shared TLS certificates.
- Don't use HTTP/2.
More details on this problem are available in Github Issue #2150.