allow http2 connections to proxy

[butonic]

This PR allows HTTP2 connection to the proxy.

Before:

❯ curl --http2 https://opencloud-server:9200 -k -v -I
* Host opencloud-server:9200 was resolved.
* IPv6: (none)
* IPv4: 127.0.2.1
*   Trying 127.0.2.1:9200...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: O=Acme Corp; CN=OpenCloud
*  start date: Nov 28 11:35:46 2025 GMT
*  expire date: Nov 28 11:35:46 2026 GMT
*  issuer: O=Acme Corp; CN=OpenCloud
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Established connection to opencloud-server (127.0.2.1 port 9200) from 127.0.0.1 port 35260 
* using HTTP/1.x
> HEAD / HTTP/1.1
> Host: opencloud-server:9200
> User-Agent: curl/8.16.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/1.1 200 OK
...

Now:

❯ curl --http2 https://opencloud-server:9200 -k -v -I
* Host opencloud-server:9200 was resolved.
* IPv6: (none)
* IPv4: 127.0.2.1
*   Trying 127.0.2.1:9200...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: O=Acme Corp; CN=OpenCloud
*  start date: Nov 28 11:35:46 2025 GMT
*  expire date: Nov 28 11:35:46 2026 GMT
*  issuer: O=Acme Corp; CN=OpenCloud
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Established connection to opencloud-server (127.0.2.1 port 9200) from 127.0.0.1 port 36246 
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://opencloud-server:9200/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: opencloud-server:9200]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.16.0]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: opencloud-server:9200
> User-Agent: curl/8.16.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 200
...

Related:

• dig into http2 support owncloud/ocis#5866
• 3.0 - Server dislikes our behavior, excessive load detected. desktop#734

[butonic]

It seems the tests use a case sensitive regex:

* Connection #0 to host opencloud-server left intact
+ cat headers.txt
HTTP/2 201 
content-security-policy: child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://update.opencloud.eu/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
date: Tue, 16 Dec 2025 10:48:17 GMT
etag: "70e8398dea97b90a7079968badd7b9ea"
last-modified: Tue, 16 Dec 2025 10:48:17 +0000
oc-etag: "70e8398dea97b90a7079968badd7b9ea"
oc-fileid: 8ce935b5-5c81-495c-babe-e07110334799$28c02c7f-1556-437b-bf0d-b6752ed401ca!b004556f-10de-4eea-9946-b6c8032d1819
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=315360000; preload
vary: Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: 6f26e153435f/2mwwTJLDo6-000024
x-robots-tag: none
x-xss-protection: 1; mode=block
content-length: 0

+ export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*Oc-Fileid: //p')
+ export URL="[https://opencloud-server:9200/app/open?app_name=FakeOffice&file_id=$FILE_ID"](https://opencloud-server:9200/app/open?app_name=FakeOffice&file_id=$FILE_ID%22)
+ export URL=$(echo $URL | tr -d '[:cntrl:]')

[fschade]

Ohhh, I would love that so much... but I'm somehow too scared to merge it myself.

[butonic]

Ok, I added a commit that shows how to configure traefik to connect to opencloud using http2 (using self signed certificates). In production environments the certificate can be configured properly.

The existing http/1.1 without tls (PROXY_TLS) can still be used so this is backwards compatible.

I did notice a lot of NetworkTimeoutErrors in the log which gave me a worry. However, they appear just as much on main:

opencloud-1           | {"level":"warn","service":"storage-users","pkg":"rhttp","datatx":"tus","method":{},"path":{},"requestId":{},"id":{},"time":"2025-12-16T13:40:37Z","line":"/opencloud/vendor/github.com/opencloud-eu/reva/v2/pkg/rhttp/datatx/manager/tus/tus.go:251","message":"NetworkTimeoutError"}

Also they only saw them with the devtools full opencloud_full compose stack. when running bare metal they didi not get logged. So might be another reverse proxy issue.

was an old image ...