We have pretty much simple setup like:
client <----->Haproxy<----->Apache with virtualhosts connect to tomcat using mod_jk.
I was planning to leverage HTTP/2 in the above setup. I have SSL terminated at HAPROXY. In apache I have 100-120 Virtual hosts. Can someone advise me should I setup SSL certs + SSL Virtualhosts for all those current Non-SSL Virtual hosts?
Secondly, do I need to setup ssl cert + Config in tomcat server.xml as well?
I'm bit confused till what layer in the Stack should I implement HTTP/2 ?
HAproxy only recently added support for HTTP/2 in 1.8 but only from incoming front end connections, not for outgoing back-end connections.
But even with that you’ve a few choices depending on which versions of the software you are on and what HTTP/2 support they have:
Terminate HTTP/2 at HAProxy, much like you are terminating SSL/TLS and just speak HTTP/1.1 to Apache and continue to use mod_jk to talk to Tomcat.
Terminate SSL/TLS at HAProxy, and the forward the clear text HTTP/2 messages to Apache, which can then continue to use mod_jk to talk to Tomcat. This requires you to use a slightly odd sounding combination of treating the front end HAProxy connection like HTTP (so it offloads the SSL/TLS) but the backend connection to Apache like a TCP connection rather than HTTP connection that you are probably using currently. This set up is detailed here.
Change HAProxy to be a complete TCP proxy, rather than a HTTP proxy and forward SSL/TLS encrypted requests to Apache, which can speak HTTPS and HTTP/2. This assumes you don’t need the SSL/TLS and/or HTTP data for HAProxy to know which Apache to send this to. Communicate to Tomcat using mod_jk.
Remove HAProxy completely and terminate your SSL/TLS and HTTP/2 at Apache. If you have one Apache server serving all those vhosts then I’m not sure what HAProxy is giving you at the moment to be honest? However if you have multiple Apaches then that would make more sense and therefore you might not want to consider this option.
Any of options 2-4 but also replace mod_jk with mod_proxy_http2 so you can speak HTTP/2 all the way through (assuming your version of Tomcat supports HTTP/2). Note mod_proxy_http2 is still marked as experimental so you may not be comfortable with using this in a production environment yet.
Do you need to speak HTTP/2 all the way though? In my opinion no, and the biggest benefit is at the entry point of your infrastructure as the biggest gains are due to speed improvements over low latency links like browser->entry point. However if you want to avail of HTTP/2 Push and the like then you may need to support it either all the way through or use Link headers and have the HTTP entry point support it (e.g. Apache supports HTTP/2 Push and could push assets if Tomcat sets appropriate Link headers even if Tomcat does not support HTTP/2). See this question and the answers for more discussion on that.